Security.

Concrete infrastructure facts, not promises. We do not claim certifications we do not hold.

Infrastructure

VendorGuard runs on Cloudflare Workers, with Cloudflare D1 for structured data (vendors, assessments, incidents, contracts, tasks, the register of information) and Cloudflare R2 for uploaded documents. Spot Suite's platform policy runs Cloudflare infrastructure in EU jurisdiction. All traffic to the app and API is served over TLS.

Tenant isolation

Every record in VendorGuard — vendors, assessments, incidents, contracts, tasks — is scoped to a tenant ID enforced on every read and write through the API. A session cannot see or modify another tenant's data.

Sessions and authentication

Signing in sets a single session cookie (vg_session), marked HttpOnly, Secure, and SameSite=Lax, so it is not readable from JavaScript and is not sent on cross-site requests. Sessions expire after a fixed lifetime and are re-checked on the server for every request. Production sign-in is designed to run through Spot Suite single sign-on (Entra ID via OIDC); until that integration is wired up for VendorGuard, non-production environments use a gated development login that only works when the environment is explicitly configured for it.

No tracking

VendorGuard does not run third-party analytics, advertising pixels, or session-replay scripts. Server logs are used only to operate and secure the Service.

Reporting a concern

If you believe you have found a security issue in VendorGuard, please report it through the contact page rather than a public issue tracker.