When you use SpendVault, you are trusting us with your supplier list, your purchase history, your staff details and your spend data. That is a significant amount of sensitive business information - and we are not going to pretend otherwise. This page explains exactly what we do to protect it.
If you only read one section on this page, read this one. SpendVault is designed so that clients are separated from one another, access is controlled tightly, important actions are logged, and the platform runs on infrastructure built for secure cloud software delivery.
We do not claim that software alone can remove all risk. Internal misuse, weak client-side access control, careless sharing of email accounts, or poor approval discipline can still create exposure.
What SpendVault does is put proper controls in place: role boundaries, OTP gates, traceable records, and infrastructure choices that are appropriate for a business-grade procurement platform.
Your workspace is separated from every other client at the database level. Row-level security enforced in Postgres means no query - from any source - can return another organisation's records. This is not a setting that can be accidentally toggled off.
SpendVault does not store passwords. Access is via a time-limited magic link sent to your email - a cryptographically random token that expires after 24 hours and can only be used once. There is no password to phish, reuse or brute-force.
Every user can enable TOTP two-factor authentication from their account settings. Once active, a 6-digit code from an authenticator app is required on every login - even after a valid magic link is used. No code, no access.
All data is encrypted in transit via TLS and encrypted at rest. Your purchase orders, supplier records and documents are never stored in plaintext - whether at rest on disk or moving across the network.
SpendVault is built on Cloudflare's global edge network and Supabase's enterprise-grade Postgres infrastructure. We chose these platforms because they are used by companies far larger than us - and because their security posture is independently maintained and tested. We benefit from that, and so do you.
We are a small team. We do not claim ISO 27001 or SOC 2 certification. What we do claim is that the infrastructure we build on holds those certifications, and that the architectural decisions we make - isolation, passwordless auth, two-factor authentication, encrypted storage - are the right ones.
Cloudflare runs at the network edge - your requests are handled at infrastructure that is geographically distributed and designed to absorb DDoS attacks, outages and regional failures without your platform going down.
Supabase runs on AWS with automatic backups, point-in-time recovery and enterprise-grade availability. Your data is not sitting on a server in someone's office. It is on infrastructure that was built for exactly this purpose.
The combination means SpendVault benefits from the security investment of two large-scale infrastructure providers - without you paying enterprise-scale prices for it.
SpendVault is delivered as a software service using established third-party providers. We believe clients should know that plainly. We choose infrastructure partners for reliability, availability and secure managed services - not because we want to obscure who does what.
Used for site delivery, edge runtime execution and network-layer protection around public platform surfaces.
Used for authentication, Postgres data storage, row-level security enforcement and backend function surfaces.
Supports the managed cloud infrastructure beneath core data services used by the platform.
Used for operational email delivery such as approvals, invitations, OTPs, notifications and trial access emails.
A password is something you can lose. A magic link is something you receive. We chose the architecture that removes the weakest link entirely.
South African law gives you rights over your data. SpendVault is built around those rights - not just to comply with them, but because we believe they are the right way to operate a platform that handles sensitive business information.
SpendVault is operated in compliance with the Protection of Personal Information Act 4 of 2013. Our Information Officer can be contacted at info@supplyd.co.za. Personal information processed on our platform is handled in accordance with the conditions for lawful processing set out in the Act. Further detail is available in our Privacy Policy and PAIA Manual.
If you cancel your subscription, you receive a full export of all your records before anything is deleted. Your suppliers, purchase orders, delivery records, inventory and documents - all of it, in a standard format you can use elsewhere. Your data is never held hostage.
Your supplier list and spend data are yours. SpendVault does not use client data for any purpose other than operating the platform. We do not sell it, share it with third parties, or use it to train models. Full stop.
A secure platform still depends on disciplined use. Some controls are ours to provide. Some controls are yours to operate properly inside your business.
Tenant separation, audit trails, OTP flows, role boundaries, managed infrastructure, secure email delivery paths and exportable operational records.
Assigning correct roles, removing former staff access, protecting email accounts, reviewing approver assignments and enforcing internal finance policy.
The strongest outcome comes when SpendVault-s controls are matched by real internal operating discipline at request, approval, receiving and payment stages.
I have sat across the table from business owners whose data was lost, leaked or held hostage by a software vendor. I know what that costs - not just in money but in trust, in time, and sometimes in the business itself.
SpendVault will never be that vendor. Your data is exportable on demand, never held hostage, and protected by every architectural decision we make. The decisions described on this page are not marketing - they are the actual choices we made when building the platform.
If something ever goes wrong, you will hear from me directly. Not from a support ticket, not from a status page - from me.
- Anthony K - Founder - Supplyd (Pty) Ltd - Johannesburg
Contact us directly. Security concerns are responded to within 24 hours. We do not need a formal report - a plain description of what you found is enough.
14-day free trial. Full platform. Magic link in your inbox in seconds. No credit card required.
Run Free Audit