SupplierClear

Security Whitepaper

# Security Whitepaper — SupplierClear **Version:** 2026-07-01 **Classification:** Public summary for procurement review ## Architecture - **Web:** Next.js on Vercel (serverless) - **Database:** PostgreSQL (Neon or Railway) with Prisma ORM - **Object storage:** AWS S3 with AES-256 or KMS encryption at rest for PDFs and evidence uploads - **Auth:** JWT session cookies (HS256), magic-link email via Resend - **Enterprise SSO:** WorkOS (SAML/OIDC) ## Data handling | Data class | Storage | Encryption | |------------|---------|------------| | Draft intake (guest) | Browser IndexedDB | Device-local | | Paid reports | PostgreSQL + S3 | TLS in transit; SSE at rest | | Evidence uploads | S3 presigned URLs | SSE at rest; virus scan on confirm | | Sessions | PostgreSQL | Hashed tokens | We do not train models on customer uploads. ## Access control - Role-based org membership (Team+) - API keys hashed at rest; org-scoped - Report access: owner, org member, or HMAC guest token - DPA required before audit export, SIEM, and API keys (enterprise) ## Security controls - Distributed rate limiting (Upstash Redis) on auth, evaluate, clarity, and API routes - Webhook signature verification (Stripe, Paystack, RevenueCat) - Webhook idempotency and production stub guards - SOC 2 Type I readiness program; annual penetration testing - Incident response runbook with secret rotation schedule ## Compliance artifacts Available via [Trust Center](/trust) and `/api/compliance/security-pack`. **We do not claim:** SOC 2 Type II, FedRAMP, or supplier certification.

← Trust center