Security / Compliance Inheritance
Cloud Compliance Inheritance
Last updated: April 2026
GuideSpend runs on infrastructure from providers who maintain their own independent compliance certifications. This document explains the shared responsibility model: what our providers secure, what we secure, and why the distinction matters.
Shared responsibility model
Cloud compliance inheritance means that certain security controls — physical security, network isolation, encryption infrastructure — are handled by our providers and covered under their certifications. GuideSpend inherits these controls but does not claim the certifications as its own.
GuideSpend is responsible for: application logic, access control, data model, input validation, secrets management, and ensuring our configuration of provider services meets security standards.
Vercel
Application hosting and edge network
They secure
- ✓Physical infrastructure and network security
- ✓DDoS protection and edge caching
- ✓TLS termination and certificate management
- ✓Serverless function isolation
- ✓Build pipeline and deployment infrastructure
GuideSpend secures
- ✓Application code and business logic
- ✓Authentication and authorisation checks
- ✓Input validation and output encoding
- ✓Security headers configuration
- ✓Environment variable management
Supabase
Database, authentication, and file storage
They secure
- ✓PostgreSQL hosting and automatic backups
- ✓Encryption at rest (AES-256, provider-managed keys)
- ✓Connection encryption (TLS)
- ✓Auth infrastructure and session management
- ✓Storage bucket encryption and access control
GuideSpend secures
- ✓Row-Level Security (RLS) policy definitions
- ✓Database schema and migration management
- ✓Auth configuration (providers, flows, session settings)
- ✓Application-level access control logic
- ✓Storage bucket policies and signed URL management
Stripe
Payment processing and billing
They secure
- ✓Credit card number storage and processing
- ✓Payment tokenisation
- ✓Fraud detection
- ✓PCI compliance for cardholder data
GuideSpend secures
- ✓Subscription and plan management logic
- ✓Webhook verification and idempotent processing
- ✓Billing page UI (no card data on our servers)
- ✓Entitlement enforcement based on plan tier
Sentry
Error monitoring
They secure
- ✓Error event ingestion and storage
- ✓Alert delivery infrastructure
GuideSpend secures
- ✓Configuring Sentry to exclude PII from error reports
- ✓Ensuring no secrets are captured in stack traces
SendGrid (Twilio)
Transactional email delivery
They secure
- ✓Email delivery infrastructure and IP reputation
- ✓API authentication and TLS transport
GuideSpend secures
- ✓Separating production and non-production API keys
- ✓Ensuring no sensitive org data is included in email bodies
- ✓Enforcing a non-production allowlist to prevent accidental sends
Upstash
Rate limiting and background job scheduling
They secure
- ✓Redis data store encryption and availability
- ✓QStash message queue delivery and signing
GuideSpend secures
- ✓Verifying QStash request signatures before processing jobs
- ✓Scoping rate limit keys to prevent cross-tenant interference
What this means for your evaluation
When evaluating GuideSpend's security posture, consider that:
- Physical infrastructure, network security, and encryption infrastructure are secured by SOC 2 Type II certified providers.
- GuideSpend's application-layer controls (RLS, RBAC, input validation, audit logging) are documented in our security whitepaper and assessed in our MVSP self-assessment.
- Provider certifications apply to provider infrastructure. GuideSpend does not claim these certifications as its own.
Questions
For questions about our compliance posture or to request provider compliance reports (available under NDA from each provider), contact security@guidespend.com.