Security built for regulated industrial procurement

All browser and API traffic is served over HTTPS with TLS 1.2 or higher, enforced at the hosting edge. No unencrypted HTTP connections are accepted.

The database and file storage are hosted on infrastructure that provides AES-256 encryption at rest. This is managed at the provider level — data is encrypted before being written to disk.

Users authenticate with email and password. Passwords are hashed using bcrypt before storage. Sessions are managed via secure, HttpOnly JWT cookies with automatic refresh. Invite-based onboarding ensures only authorised users gain access.

Each user holds a role within their company: Owner, Admin, Member, or Viewer. Sensitive operations require Owner or Admin privileges. All server actions verify membership before executing business logic.

All procurement and supplier data is scoped to the owning company. Database queries enforce company boundaries so that one customer's RFQs, quotations, projects, and documents are not visible to another.

Protected application areas (procurement, supplier, admin dashboards) require an active authenticated session. Unauthenticated requests are redirected to the login page. Sessions are validated and refreshed on every request.

Standard HTTP security headers are applied to all responses: Content-Security-Policy (CSP), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy, and Strict-Transport-Security (HSTS).

Integration API keys are generated with cryptographically secure random bytes. Only a SHA-256 hash of each key is stored — the plaintext is shown once at creation and never persisted. Keys can be revoked instantly.

Rate limiting is enforced across integration API endpoints (120 req/min per key), file uploads, authentication-related endpoints, contact forms, and data enrichment routes. Per-IP and per-user limits are applied where appropriate.

Password complexity is validated server-side at registration and invitation acceptance. Requirements include minimum length, uppercase, lowercase, and numeric characters.

Inbound Stripe webhooks are verified using cryptographic signature validation before processing. An idempotency log prevents duplicate event handling.

Outbound webhooks to customer ERP systems are signed with HMAC-SHA256. Each delivery includes a timestamp, event ID, and idempotency key. Secret rotation is supported with a grace period for the previous secret.

Server-side validation is applied to form submissions and API inputs using schema validation. Client-side validation provides immediate feedback. Untrusted input is validated before reaching business logic.

Uploaded files are stored in private cloud storage buckets with an allowlist of permitted buckets. Uploads are validated for MIME type and file size (25 MB limit). External submissions use time-limited tokens for access.

Scheduled cron routes require a shared secret in the Authorization header. Without a valid CRON_SECRET, the endpoint returns 401 and does not execute. The application does not operate in an unauthenticated fallback mode.

All payment processing is handled by Stripe. No credit card numbers, CVVs, or sensitive payment data pass through or are stored on ChemCapital servers. Stripe is PCI DSS Level 1 certified.

The application is deployed on Vercel's edge network with automatic scaling, DDoS protection at the edge layer, and managed TLS certificates. The database is hosted on Supabase's managed PostgreSQL infrastructure in AWS eu-west-2 (London).

Sensitive operations including RFQ creation, PO issuance, compliance record changes, and team management actions are recorded in a structured audit log. Admin users can filter and search logs by action type, entity, company, user, and date range. Mid-Market and Enterprise customers can access their own company audit trail directly from their account settings for compliance and governance review.

Sentry is integrated for real-time error monitoring and alerting in production. Application errors are captured with context for rapid investigation. Source maps are uploaded securely and not exposed to browsers.

A data retention engine runs as a scheduled cron job and purges records according to defined retention windows: activity logs (365 days), processing jobs (90 days), and financial audit logs (730 days). Retention periods are configurable per company.

TOTP-based MFA is available for all users via their security settings. When enabled, users are required to enter a verification code from an authenticator app after each login. MFA can be enforced at the organisation level.

SSO via SAML or OpenID Connect is available for enterprise customers through Supabase Auth's SAML 2.0 integration. Users can sign in using their corporate identity provider by entering their work email address. SSO can be configured per organisation.

Your data is stored in a managed PostgreSQL database hosted on Supabase infrastructure within AWS eu-west-2 (London, UK). Files and documents are stored in private Supabase Storage buckets in the same region. All data is encrypted at rest using AES-256.

RFQs are visible only to members of the procurement company that created them and the specific suppliers invited to respond. Quotations are visible to the submitting supplier and the procurement company that issued the RFQ. Role-based access within each company controls who can view, edit, or manage these records.

Yes. Uploaded files are stored in private storage buckets. Access requires an authenticated API call from a user with appropriate permissions. External submissions use time-limited tokens. File types and sizes are validated on upload. Files are not publicly accessible by default.

ERP integrations use API keys that are SHA-256 hashed before storage — plaintext keys are never persisted. Outbound webhooks are signed with HMAC-SHA256 so your systems can verify authenticity. Rate limiting (120 requests/minute) is enforced on all integration endpoints. Secret rotation is supported with a grace period.

Yes. TOTP-based MFA (Google Authenticator, Authy, 1Password) is available for all users from the Security settings page. SSO via SAML or OpenID Connect is available for enterprise customers — contact us to configure your identity provider.

Yes. We are happy to support enterprise security reviews, complete vendor security questionnaires, and discuss our security architecture in detail. Please contact us to arrange this.

Database backups are managed by our infrastructure provider (Supabase/AWS) with point-in-time recovery capabilities. In the event of a data incident, we follow a documented internal response process that includes containment, investigation, notification, and remediation.

ChemCapital is designed with GDPR-aware data handling principles including data minimisation, purpose limitation, and user access controls. We provide a Privacy Notice and support data subject requests. Data Processing Agreements (DPAs) are available on request for enterprise customers.

Activity logs are retained for 365 days and then purged automatically. Financial audit logs are retained for 730 days for compliance purposes. Enterprise customers can configure custom retention periods. Data deletion requests are handled in accordance with our Privacy Notice.