Security

Last updated: 27 April 2026

VendorInspect is a B2B tool that handles vendor names, website URLs, and email addresses on behalf of procurement teams. We take the security of that data seriously. This page explains the controls we have in place.

🔒

Encryption in transit

All traffic is served over HTTPS/TLS 1.2+. Connections on plain HTTP are automatically redirected.

🗄️

Encryption at rest

Report data stored in Supabase is encrypted at rest using AES-256.

🌍

Data residency

Supabase storage is provisioned in the US East region.

⏱️

Data retention

Reports are automatically deleted 90 days after generation. Email addresses are deleted with the report.

🔑

Access controls

Reports are accessed via single-use magic links tied to a unique token. No user accounts or shared credentials.

🏗️

Infrastructure

The application runs on Vercel's serverless platform. No persistent server processes or open ports.

Sub-processor Security

We rely on the following sub-processors, each with their own security posture:

Supabase — SOC 2 Type II certified. Data stored in US East.
Vercel — SOC 2 Type II certified. Serverless edge infrastructure.
Anthropic (Claude API) — Enterprise API usage. Submitted data is not used to train models under their API terms.
Resend — Transactional email delivery. Emails are not stored beyond delivery.
Lemon Squeezy — PCI-DSS compliant payment processor. We never see or store card details.

What Data We Process

We process only the minimum data required to deliver a report:

The vendor website URL you submit.
The vendor name you provide.
Your email address (to deliver the report link).

We do not process sensitive personal data, financial records, or proprietary business information.

Vulnerability Disclosure

If you discover a security vulnerability in VendorInspect, please report it responsibly by contacting us at security@vendorinspect.com before disclosing it publicly. We will acknowledge your report within 5 business days and work to resolve confirmed issues promptly.

We ask that you do not access, modify, or delete data that is not yours, and that you do not perform denial-of-service testing.

Contact

Security questions or concerns? Email security@vendorinspect.com or use the Contact Support link in the footer.