Security at GuideSpend
Last reviewed: 2 April 2026
GuideSpend follows SOC 2-aligned security practices including encrypted transport, org-level data isolation, and role-based access control. This page describes our current security posture, the infrastructure we rely on, and our compliance roadmap.
1. Encryption
- In transit: All connections use TLS 1.2 or higher. No unencrypted HTTP traffic is accepted.
- At rest: Data is stored in PostgreSQL databases hosted by Supabase, which provides AES-256 encryption at rest through the underlying cloud provider.
- Attachments: Contract attachments are stored in Supabase Storage with server-side encryption. Access requires authenticated, org-scoped signed URLs with short-lived expiry.
2. Organisation-level data isolation
Every organisation's data is isolated at the database level using PostgreSQL Row-Level Security (RLS) policies. Queries are automatically scoped to the authenticated user's organisation. No user can access, query, or export data belonging to another organisation.
All API requests are validated server-side. Organisation, role, and access scope are derived from the authenticated session — never from client-supplied identifiers.
3. Role-based access control
GuideSpend uses role-based access control with two membership roles and three effective permission levels:
- Org Admin: Full access to organisation settings, team management, billing, exports, and data governance controls.
- Org Member: Access to assets, vendors, renewals, and reporting within their permitted department and location scope.
Administrative actions — team invites, export permission changes, and billing updates — require the Org Admin role and are logged in the audit trail.
4. Authentication
Authentication is handled by Supabase Auth with support for email/password and OAuth providers (Google and Microsoft). Sessions are managed server-side with secure, HTTP-only cookies. All product routes are protected at the edge — no authenticated page or API endpoint is accessible without a valid session.
SAML-based single sign-on (SSO) is on our roadmap for organisations that require it.
5. Cloud compliance inheritance
GuideSpend runs on infrastructure provided by vendors who maintain their own independent compliance certifications:
- Vercel (application hosting) — SOC 2 Type II certified
- Supabase (database and authentication) — SOC 2 Type II certified
- Stripe (payment processing) — PCI DSS Level 1 certified
While GuideSpend inherits security controls from these providers, their certifications apply to their infrastructure — not to GuideSpend as an application. We document this distinction clearly.
6. SOC 2 roadmap
GuideSpend does not currently hold a SOC 2 certification. We are transparent about where we are and where we are heading:
- Current: SOC 2-aligned security practices, trust center documentation, and MVSP self-assessment completed.
- Next: Compliance platform deployment and automated evidence collection.
- Target: SOC 2 Type I audit, followed by Type II observation period.
We will update this page as our compliance posture progresses. We do not publish unsupported compliance badges or imply certifications that do not exist.
7. Data portability and deletion
- Export:Full CSV export of all your organisation's data is available at any time, on any plan.
- Deletion: Data deletion requests are accepted via account settings or by emailing support@guidespend.com. We respond within 5 business days.
- Cancellation: On cancellation, data is retained for 90 calendar days (during which you can export), then permanently deleted. See our cancellation policy.
8. Data processing and GDPR
A Data Processing Agreement (DPA) with Standard Contractual Clauses is available on request. Contact legal@guidespend.com to request a copy.
GuideSpend supports data subject access requests and right to erasure in accordance with GDPR requirements. Our privacy policy describes our data handling practices in detail.
9. Subprocessors
GuideSpend uses the following subprocessors to deliver the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Vercel | Application hosting and edge network | United States |
| Stripe | Payment processing and billing | United States |
| Sentry | Error monitoring (no PII collected) | United States |
| SendGrid | Transactional email (renewal reminders) | United States |
| Upstash | Background job scheduling and rate limiting | United States |
We will notify customers of material changes to this list with at least 30 days' notice.
10. Common security questions
Answers to the questions most frequently asked during IT and security review:
Where is data stored?
In PostgreSQL databases hosted by Supabase, with provider-supported AES-256 encryption at rest. Infrastructure is hosted in the United States.
Is data encrypted in transit?
Yes. All connections use TLS 1.2 or higher. No unencrypted HTTP traffic is accepted.
Who can access our data?
Only authenticated members of your organisation. Data is isolated at the database level using Row-Level Security. No user can access another organisation's data.
Can we export our data?
Yes. Full CSV export of all assets, vendors, and renewal data is available at any time, on any plan.
Can we delete our data?
Yes. Submit a deletion request via account settings or email support@guidespend.com. We respond within 5 business days.
Do you have SOC 2?
GuideSpend follows SOC 2-aligned security practices including encrypted transport, org-level data isolation, and role-based access control. Our SOC 2 roadmap is published above. We do not currently hold a SOC 2 certification.
Do you support SSO?
Google and Microsoft OAuth are supported for authentication. SAML-based SSO is on our roadmap for organisations that require it.
What happens if we cancel?
Data is retained for 90 calendar days, during which you can export everything. After 90 days, data is permanently deleted.
11. Security documentation
We publish detailed security documentation for IT leads and procurement teams:
- Security whitepaper — architecture overview, data handling, access control model
- MVSP self-assessment — Minimum Viable Secure Product checklist (framework by Google, Salesforce, Okta, and Slack)
- Cloud compliance inheritance — shared responsibility model with our infrastructure providers
To report a security concern or request a DPA, contact security@guidespend.com.