Security Whitepaper
# Security Whitepaper — SupplierClear
**Version:** 2026-07-01
**Classification:** Public summary for procurement review
## Architecture
- **Web:** Next.js on Vercel (serverless)
- **Database:** PostgreSQL (Neon or Railway) with Prisma ORM
- **Object storage:** AWS S3 with AES-256 or KMS encryption at rest for PDFs and evidence uploads
- **Auth:** JWT session cookies (HS256), magic-link email via Resend
- **Enterprise SSO:** WorkOS (SAML/OIDC)
## Data handling
| Data class | Storage | Encryption |
|------------|---------|------------|
| Draft intake (guest) | Browser IndexedDB | Device-local |
| Paid reports | PostgreSQL + S3 | TLS in transit; SSE at rest |
| Evidence uploads | S3 presigned URLs | SSE at rest; virus scan on confirm |
| Sessions | PostgreSQL | Hashed tokens |
We do not train models on customer uploads.
## Access control
- Role-based org membership (Team+)
- API keys hashed at rest; org-scoped
- Report access: owner, org member, or HMAC guest token
- DPA required before audit export, SIEM, and API keys (enterprise)
## Security controls
- Distributed rate limiting (Upstash Redis) on auth, evaluate, clarity, and API routes
- Webhook signature verification (Stripe, Paystack, RevenueCat)
- Webhook idempotency and production stub guards
- SOC 2 Type I readiness program; annual penetration testing
- Incident response runbook with secret rotation schedule
## Compliance artifacts
Available via [Trust Center](/trust) and `/api/compliance/security-pack`.
**We do not claim:** SOC 2 Type II, FedRAMP, or supplier certification.