MV
ManageVendors

Security

We monitor vendor risk for a living — so we take our own security seriously. Here's how we protect your data.

Effective: February 26, 2026|Last updated: February 26, 2026

1. Authentication and Access Control

  • Multi-factor authentication (MFA) support
  • Role-based access control (RBAC) with 4 roles: Owner, Admin, Member, Viewer
  • JWT tokens stored in httpOnly cookies (never localStorage)
  • Session refresh on every request via server-side verification
  • OAuth 2.0 via Google and GitHub (no password storage)
  • Automatic session expiry and re-authentication

2. Data Protection

  • All data encrypted in transit (TLS 1.3)
  • All data encrypted at rest (AES-256)
  • Row Level Security (RLS) on every database table
  • Multi-tenant isolation — organizations never see each other's data
  • No vendor credentials stored — we only monitor public pages
  • Database backups with point-in-time recovery

3. Application Security

  • Content Security Policy (CSP) headers on all responses
  • X-Frame-Options: DENY (clickjacking protection)
  • Strict-Transport-Security (HSTS) enforced
  • Referrer-Policy: strict-origin-when-cross-origin
  • Rate limiting on all API endpoints (Redis-backed)
  • Input validation on every endpoint (Zod schemas)
  • CRON endpoints secured with bearer token verification

4. Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Database on Supabase (SOC 2 Type II certified)
  • No customer data stored on developer machines
  • Environment variables managed via platform secrets
  • Automated deployments with zero-downtime rollouts
  • Edge network with DDoS protection (Vercel/Cloudflare)

5. Monitoring and Incident Response

  • Audit logging for all sensitive operations
  • Real-time error monitoring and alerting
  • 24-hour incident response commitment
  • Security vulnerability disclosure program
  • Regular dependency audits (npm audit)
  • Automated security scanning in CI/CD pipeline

6. Compliance

  • SOC 2 Ready — controls implemented, audit planned
  • GDPR compliant — data minimization, right to erasure, DPA available
  • CCPA compliant — do not sell personal information
  • HIPAA compatible — BAA available for Enterprise plans
  • Stripe PCI DSS Level 1 for payment processing
  • Regular third-party security assessments planned

7. Data Classification

We classify all data we handle into four levels, each with specific handling requirements:

Public

Vendor catalog data, pricing pages, status pages, changelogs.

Collected from publicly available URLs. No authentication required.

Internal

Organization settings, monitoring configurations, alert rules.

Protected by RLS. Only accessible to authenticated org members with appropriate role.

Confidential

User emails, profile data, notification preferences.

Encrypted at rest. Minimal collection. Right to erasure honored within 30 days.

Restricted

Authentication tokens, API keys, Stripe payment data.

Never stored in application database. Managed by Supabase Auth and Stripe respectively.

8. What We Don't Do

  • We never store your vendor login credentials
  • We never access your vendor accounts on your behalf
  • We never sell, share, or trade your data with third parties
  • We never use your organization data for AI model training
  • We never store payment card numbers (Stripe handles all payments)
  • We never retain data after account deletion beyond the 30-day grace period

9. Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability, please report it to:

security@managevendors.io

Please include a description of the vulnerability, steps to reproduce, and potential impact. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.

We will not pursue legal action against security researchers who act in good faith and follow responsible disclosure practices.