Your data is safe here.
Insurance certificates contain sensitive business information. We treat that seriously — with encryption, strict data isolation, and transparent practices.
How we protect your data
Security by design, not afterthought
Encryption everywhere
- All data encrypted in transit via TLS 1.3
- Database encrypted at rest (AES-256)
- Insurance documents stored in private Supabase buckets
- Documents accessed only via short-lived signed URLs — never publicly accessible
Data isolation
- Row-Level Security (RLS) enforced at the Postgres level
- Every query scoped to company_id — cross-tenant data access is structurally impossible
- Service role key never exposed to browser or client
- API routes validate company membership on every request
Authentication & access control
- Email + password auth via Supabase Auth with bcrypt hashing
- Time-based One-Time Password (TOTP) MFA available for all accounts
- Role-based access: Admin, Manager, Viewer roles with enforced permissions
- Session tokens expire and rotate on sensitive actions
- Vendor portal access via unique tokenized URLs — no shared credentials
Audit & visibility
- Full audit log of all user actions (add, edit, delete, export)
- Document upload and access events recorded
- Team invitation and role change events tracked
- Logs retained for 12 months
Infrastructure
- Hosted on Vercel Edge Network with global CDN
- Database on Supabase (hosted on AWS, SOC 2 Type II compliant)
- Daily automated database backups with point-in-time recovery
- Zero-downtime deployments with instant rollback capability
Responsible practices
- Minimal data collection — we only store what is needed for the product
- Vendor portal data scoped strictly to the requesting vendor
- No insurance document data used for training AI models
- Webhook payloads signed with HMAC-SHA256 for verification
Built on trusted infrastructure
FAQ
Security questions answered
Who can see my vendor data?
Only users within your company account can access your data. Supabase Row-Level Security ensures that even if a query were misconfigured, the database would block cross-tenant access at the database level.
Where are insurance documents stored?
Insurance certificates are stored in a private Supabase storage bucket. They are never publicly accessible. Every access is via a signed URL that expires after 60 minutes.
Can vendors see each other's data?
No. Each vendor has a unique tokenized portal URL. When a vendor opens their portal, they only see their own certificates and compliance status — nothing from other vendors in your account.
Is VendorValid SOC 2 compliant?
VendorValid is built on Supabase which is SOC 2 Type II certified. We are in the process of pursuing our own SOC 2 Type II audit. Enterprise customers can request our security questionnaire and Supabase's compliance documentation.
How do I enable MFA for my account?
Two-factor authentication with an authenticator app is available in Settings → Security. We strongly recommend enabling it for all Admin accounts.
Can I export and delete my data?
Yes. You can export all vendor and policy data as CSV any time from the Reports page. To permanently delete your account and all associated data, contact us at hello@vendorvalid.com.
Questions about security?
Enterprise customers can request our full security questionnaire and documentation.