[otterley]

> Tl;dr: we do not and will not sell any personal information.

Ok, you won't sell it; but will you give it to third parties (even without payment) without the consent of the subject beyond the extent required by law?

(BTW, this was the weasel-language used by Facebook. They didn't sell information to Cambridge Analytica, but they conveyed it to them anyway, where it was misused.)

[cosn]

> Ok, you won't sell it; but will you give it to third parties (even without payment) without the consent of the subject beyond the extent required by law?

[I work at Brex, and I’m not a lawyer :)]

Yes, you’re right in that we work with a small number of 3rd party systems which go through a rigorous screening, much of it focused on how they store and secure data. These systems are either for internal monitoring (e.g., system logging), or for running the business (e.g., KYC).

[justincarrao]

[I also work at Brex]

One more thing worth mentioning about 3rd parties: our contracts explicitly do not allow them to use your personal information for their own purposes or for marketing.

[all_blue_chucks]

What is your Infosec budget and how big is your Infosec team?