Security

Security Built Into Every Layer

SpendSentry is designed for finance teams handling sensitive contracts and invoices. We enforce strong access controls, isolate customer data by tenant, and secure every integration.

Authentication & Access Control

  • Access tokens are validated server-side against Supabase Auth before any protected action.
  • User roles (Owner/Admin/Member) are enforced through membership records.
  • Protected endpoints require an authenticated user context before returning data.

Tenant Isolation

  • All core records are scoped by tenant_id in queries and services.
  • Row Level Security policies restrict access to data within a tenant.
  • Membership checks ensure users only see data for workspaces they belong to.

Secure Gmail Integration

  • OAuth uses signed state with timestamped nonces to prevent replay.
  • Refresh and access tokens are encrypted with AES-GCM before storage.
  • Scopes are limited to Gmail read/send functions required for document ingestion.

Secrets & Environment Hygiene

  • Privileged keys are stored server-side only and never shipped to the client.
  • Edge functions and server services read secrets from environment variables.
  • Client applications use publishable keys with limited access.

Additional Controls

Input Validation

API payloads are validated using explicit schemas to prevent malformed or unsafe input from reaching data services.

Secure Processing

Document ingestion tracks hashes and metadata to detect duplicates and ensure consistent processing pipelines.

Audit-Friendly Records

System tables include created and updated timestamps, giving finance teams traceability for approvals and changes.

Multi-Environment Safety

Environments are configured through explicit variables, keeping staging and production isolated with separate keys.

Need more detail?

Talk to our security team

We are happy to provide architecture diagrams, data flow summaries, or compliance documentation.

Contact security