Security / MVSP Self-Assessment
MVSP Self-Assessment
Last updated: April 2026
The Minimum Viable Secure Product (MVSP) checklist is a vendor-neutral baseline created by Google, Salesforce, Okta, and Slack. It defines the minimum acceptable security posture for B2B software.
This is GuideSpend's self-assessment against the MVSP checklist. We publish it to demonstrate transparency about our current security posture and areas of ongoing improvement.
15
Pass
5
Partial
1
Roadmap
1. Business controls
| # | Requirement | Status | Notes |
|---|---|---|---|
| 1.1 | Vulnerability reports and security patches | Pass | Dependency audit via npm. Sentry for runtime errors. security@guidespend.com for reports. |
| 1.2 | Customer testing | Pass | Customers can test their own tenants. No restrictions on security scanning of customer-facing surfaces. |
| 1.3 | Self-assessment | Pass | This document. Updated with each major release. |
| 1.4 | External testing | Roadmap | Planned after compliance platform deployment ($300K ARR trigger). |
| 1.5 | Training | Partial | Security-aware development practices enforced via code review and automated checks. Formal training programme planned. |
| 1.6 | Compliance | Partial | SOC 2-aligned practices in place. Formal SOC 2 Type I audit planned after compliance platform deployment. |
| 1.7 | Incident response | Partial | Error monitoring via Sentry. Formal incident response plan documented internally. Public status page planned. |
| 1.8 | Data handling | Pass | DPA available on request. 90-day retention on cancellation. Full data export at any time. Deletion within 5 business days. |
2. Application design controls
| # | Requirement | Status | Notes |
|---|---|---|---|
| 2.1 | Single sign-on | Partial | Google and Microsoft OAuth supported. SAML SSO on roadmap. |
| 2.2 | HTTPS-only | Pass | All traffic over TLS 1.2+. HTTP redirected to HTTPS. HSTS enabled. |
| 2.3 | Security headers | Pass | CSP, X-Frame-Options, Referrer-Policy, Strict-Transport-Security configured at edge. |
| 2.4 | Password policy | Pass | Managed by Supabase Auth. Minimum length enforced. Bcrypt hashing. |
| 2.5 | Security libraries | Pass | Parameterised queries (pg pool and Prisma). Zod validation on all inputs. No raw SQL concatenation. |
| 2.6 | Dependency management | Pass | Lockfile committed. npm audit run before each release. No known critical CVEs at time of publication. |
| 2.7 | Logging | Pass | Audit log for administrative actions. Sentry for errors. No secrets or PII in logs. |
| 2.8 | Encryption | Pass | TLS in transit. AES-256 at rest (provider-managed). Signed URLs with short TTL for file access. |
3. Application implementation controls
| # | Requirement | Status | Notes |
|---|---|---|---|
| 3.1 | List of sensitive data types | Pass | Documented in security whitepaper. Organisation data, user accounts, contracts, audit logs. |
| 3.2 | Data flow diagram | Partial | Architecture documented in whitepaper. Formal data flow diagram planned for SOC 2 readiness. |
| 3.3 | Vulnerability prevention | Pass | Input validation (Zod), parameterised queries (Prisma), CSP headers, RLS tenant isolation. |
| 3.4 | Time to fix vulnerabilities | Pass | Critical: 48 hours. High: 7 days. Medium: 30 days. Low: next release cycle. |
| 3.5 | Build process | Pass | Vercel CI/CD from Git. Lint, type checks, and test suite run as part of the release process. |
About this assessment
This self-assessment is maintained by the GuideSpend engineering team and updated with each major release. It has not been independently verified. For questions or to request additional documentation, contact security@guidespend.com.
Learn more about the MVSP framework at mvsp.dev.