Access control
VendorGuard uses Supabase authentication, organization-scoped records, and role-based access for admin, analyst, and viewer users.
Security and data protection
Clear controls for vendor risk evidence.
VendorGuard stores vendor risk records, uploaded evidence, and generated reports in an authenticated workspace. This page documents the current controls, data categories, and processing boundaries customers should review before sharing sensitive vendor material.
DPA template
Download the current data processing addendum template for legal review. It is a working template and should be finalized for each customer agreement.
Download DPA templateTenant separation
Core vendor, evaluation, document metadata, monitoring, alert, and settings tables use organization IDs and row-level security policies.
Private evidence storage
Uploaded vendor evidence and generated reports are stored in private Supabase Storage buckets. Report files are accessed through signed URLs.
External research boundaries
Vendor assessments may use Tavily, Anthropic, and configured security rating providers. Reports should show evidence gaps instead of unsupported certainty.
Data handled
VendorGuard is intended for third-party risk assessment workflows. Customers should avoid uploading unnecessary personal data or secrets inside vendor evidence.
- Account profile and organization details
- Vendor names, domains, websites, countries, tiers, and assessment scope
- Uploaded vendor evidence such as SOC 2, ISO 27001, penetration test, financial, legal, and compliance documents
- Generated findings, evaluation scores, reports, monitoring alerts, comments, and audit-style assessment logs
- Integration configuration such as security rating API keys when an administrator connects them
Storage and retention
- Primary storage
- Supabase PostgreSQL and private Supabase Storage buckets configured for this deployment.
- Storage region
- The exact region is the Supabase project region for the active environment and should be confirmed from the deployment settings before contractual commitments.
- Encryption
- Data uses HTTPS in transit and Supabase-managed storage/database protections at rest. VendorGuard does not currently add separate application-layer encryption for each record.
- Retention
- Assessment logs include a 90-day expiry marker. Customer deletion, report deletion, and retention commitments should be confirmed in the customer agreement.
Implementation notes
This page reflects the controls visible in the current application code. Before using it for an enterprise procurement review, confirm the production Supabase region, final security contact, incident notification SLA, and the signed DPA terms.
Subprocessors
These services may process customer or vendor assessment data depending on which workflows and integrations are enabled.
| Provider | Purpose |
|---|---|
| Supabase | Authentication, PostgreSQL database, storage, and server-side access controls |
| Anthropic | AI-assisted assessment drafting, evidence analysis, summaries, and country discovery support |
| Tavily | Web research for vendor risk signals and source discovery |
| Security rating providers | BitSight, SecurityScorecard, UpGuard, and RiskRecon when the customer configures API access |
| Resend | Email alerts when configured for monitoring notifications |