Security and compliance

Security is engineered into SpendSide rather than bolted on. The platform is built around multi-tenant isolation, layered access control, and evidence on every answer. What follows is honest about what is in design and build today versus what is on the roadmap.

Multi-tenancy isolates data between tenants at every layer. Access is enforced with RBAC, ABAC, and row-level security composed together. AI access is enforced in three layers: retrieval scope, prompt scope injection, and a post-hoc tool-result filter, validated as a continuous-integration contract.

Every value carries field-level lineage back to its transformation, column, row, file, uploader, and timestamp. Reads, writes, and AI actions are recorded in an audit log.

ISO 27001, SOC 2 Type II, and GDPR alignment are on our roadmap. We will publish certifications only once they are achieved, never before.

To report a security concern, email security@spendside.com.