Security at Broadmark Sourcing
We take the security of your procurement data seriously. Here is how we protect it.
Tenant Data Isolation
Every client's data is stored in a fully isolated tenant. Row Level Security is enforced at the database level — not just the application layer — ensuring no client can ever access another client's data under any circumstance.
AI Processing Under Zero Data Retention
Document content processed by our AI agents — including invoices, contracts, and spend data — is handled under a zero data retention agreement with Anthropic. Your data is never stored, logged, or used for model training beyond what is operationally required to return the API response.
Encryption In Transit and At Rest
All data transmitted to and from our platform is encrypted using TLS 1.2 or higher. All data stored in our database is encrypted at rest using AES-256 encryption provided by Supabase infrastructure.
Secure Authentication
Client access is protected by Supabase Auth with email verification, password hashing, and automatic session timeouts after 8 hours of inactivity. All authentication events including logins, logouts, and failed attempts are logged in our audit system.
Accounting Integration Security
Accounting system connections are handled via OAuth 2.0 through Merge.dev, a SOC 2 Type II certified integration platform. We never store your accounting system credentials directly. We request only the minimum data scopes necessary to deliver our services.
Payment Security
All payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification available. Broadmark Sourcing never stores, transmits, or has access to your credit card or bank account information.
Security Monitoring and Response
All API endpoints are rate limited to prevent abuse. Webhook endpoints are secured with secret key validation. We monitor for unusual API activity and maintain audit logs of all administrative actions. In the event of a security incident we will notify affected clients within 72 hours.
Data Retention and Your Right to Deletion
Client data is retained for the duration of your active subscription plus 90 days following cancellation. Upon request we will permanently delete all your data within 30 days. To submit a deletion request contact info@broadmarksourcing.com.
Security Questions or Concerns?
For enterprise security reviews, Data Processing Agreements, penetration test results, or any security concerns contact us directly.