GuideSpend Security Whitepaper

Version 1.0 — April 2026

This document provides an overview of GuideSpend's architecture, data handling practices, and access control model. It is intended for IT leads, security reviewers, and procurement teams evaluating GuideSpend.

1. Product overview

GuideSpend is a renewal control platform for finance and IT teams at organisations with 50–500 employees. It tracks software and hardware assets, contract terms, renewal dates, spend exposure, and owner accountability.

The application is a web-based SaaS product. There is no on-premises deployment, no desktop client, and no mobile app. All access occurs through a web browser over HTTPS.

2. Architecture

GuideSpend is built on a modern serverless architecture:

• Application layer: Next.js on Vercel (serverless functions, edge middleware). No long-running servers. Each request is handled by an isolated function invocation.
• Database: PostgreSQL hosted by Supabase. Connection pooling via PgBouncer for serverless runtime compatibility.
• Authentication: Supabase Auth (email/password, Google OAuth, Microsoft OAuth). Sessions are server-side with secure HTTP-only cookies.
• File storage: Supabase Storage for contract attachments. Server-side encryption. Access via short-lived signed URLs.
• Payments: Stripe for billing and subscription management. No card data touches GuideSpend servers.
• Edge protection: Vercel Edge Middleware enforces authentication on all product routes before the request reaches application code.

3. Data handling

3.1 Data at rest

All data is stored in PostgreSQL databases hosted by Supabase. The underlying cloud provider (AWS) encrypts storage volumes with AES-256 encryption. Supabase does not offer customer-managed encryption keys at this time.

3.2 Data in transit

All connections use TLS 1.2 or higher. HTTP requests are redirected to HTTPS. Internal connections between application functions and the database use encrypted connections.

3.3 Data types stored

• Organisation profile (name, billing details)
• User accounts (name, email, role, organisation membership)
• Software and hardware asset records (vendor, cost, renewal dates, owner)
• Contract attachments (PDF files uploaded by users)
• Audit log entries (who did what and when)

GuideSpend does not store: credit card numbers (handled by Stripe), employee personal data beyond name/email, health data, government IDs, or financial transaction records.

3.4 Data retention and deletion

Active accounts retain data indefinitely. On cancellation, data is retained for 90 calendar days to allow export, then permanently deleted. Data deletion requests are honoured within 5 business days.

3.5 Data portability

Full CSV export of all organisation data (assets, vendors, renewal records) is available at any time, on any plan. This is a trust signal — customers are never locked in.

4. Access control model

4.1 Tenant isolation

Every organisation's data is isolated using PostgreSQL Row-Level Security (RLS) policies. All database queries are automatically scoped to the authenticated user's organisation. This isolation is enforced at the database level — not in application code alone — providing defence in depth against cross-tenant data access.

4.2 Role-based access control

Two membership roles govern access:

• Org Admin: Organisation settings, team management, billing, export controls, data governance.
• Org Member: Asset management, vendor records, renewals, and reporting within their permitted scope (department and location).

4.3 Authentication

• Email/password with secure session management
• Google OAuth (OpenID Connect)
• Microsoft OAuth (OpenID Connect)
• SAML SSO: on roadmap

All sessions use secure, HTTP-only cookies. Organisation, role, and access scope are derived server-side from the authenticated session — never from client-supplied values.

4.4 Audit logging

Administrative and governance actions are logged with timestamps, actor identity, and action category. Audit logs are recorded for all plans. Extended governance controls, including export activity logs and export permissions, are available on Business plans and above.

5. Operational security

• Secrets management: All credentials are stored as environment variables in Vercel and Supabase, never in source code. Separate credentials per environment (development, preview, production).
• Dependency management: Dependencies are locked and audited. No known critical or high CVEs at time of publication.
• Error monitoring: Sentry for application error tracking. No personally identifiable information is collected in error reports.
• Security headers: Content Security Policy, X-Frame-Options, Referrer-Policy, and Strict-Transport-Security are configured at the edge.

6. Compliance posture

GuideSpend follows SOC 2-aligned security practices including encrypted transport, org-level data isolation, and role-based access control. We do not currently hold a SOC 2 certification.

Our infrastructure providers maintain their own certifications: Vercel (SOC 2 Type II), Supabase (SOC 2 Type II), Stripe (PCI DSS Level 1). These certifications apply to their infrastructure, not to GuideSpend as an application.

Our SOC 2 roadmap, MVSP self-assessment, and cloud compliance inheritance documentation are published on our trust center.

7. Questions and contact

For security questions, DPA requests, or to schedule a call with our technical team, contact security@guidespend.com.

Additional resources:

• Trust center
• MVSP self-assessment
• Cloud compliance inheritance
• Privacy policy