Trust

Security at Procupy

How we protect your procurement data — multi-tenant isolation, encryption in transit, role-based access, two-factor authentication, SSO, scoped API keys, and a complete audit trail.

On this page

Multi-tenant data isolation
Encryption in transit
Authentication & sessions
Role-based access control (RBAC)
Two-factor authentication (2FA)
Single sign-on (SSO)
Scoped API keys
Audit trail
Compliance roadmap

Procurement data is sensitive: vendor pricing, bid history, contracts, and payment terms are commercial secrets. We designed Procupy to keep that data isolated, encrypted, access-controlled, and fully auditable. This page describes the security posture that ships in the product today, and where we're headed on compliance — described honestly, without claiming certifications we don't yet hold.

In short

Every organisation's data is isolated, traffic is encrypted in transit, access is governed by roles and two-factor authentication, and every meaningful action is written to an immutable audit trail.

Multi-tenant data isolation

Procupy is multi-tenant: many organisations share the same infrastructure, but no organisation can ever see another's data. Every request carries an organisation identity derived from the authenticated session, and every query in the application is scoped to that organisation. A user authenticated to one company simply has no path to read or write another company's auctions, vendors, POs, or invoices.

This scoping is enforced server-side at the data-access layer, not in the browser — so it holds even against direct API calls, not just the UI.

Encryption in transit

All traffic between your browser or mobile app and Procupy is encrypted over TLS (HTTPS). That covers the web app, the vendor portal, the mobile app, and the API. Cookies that carry session material are flagged HttpOnly and are restricted in scope so they can't be read by client-side scripts.

Authentication & sessions

Sign-in issues a short-lived access token (a signed JWT, valid for about 30 minutes) paired with a longer-lived, server-side refresh token. Refresh tokens rotate on every use and are grouped into per-login families: if an already-rotated token is ever replayed, the whole family is revoked immediately — a strong defence against stolen-token reuse.

Rotating refresh tokens — stored hashed (never in plaintext), rotated on each refresh, with automatic family revocation on reuse.
HttpOnly cookies on web — the web client keeps the refresh token in an HttpOnly cookie with a CSRF guard header required to refresh, so it isn't exposed to scripts.
Secure mobile storage — the vendor mobile app keeps its refresh token in the device secure store.
Session management — you can list active sessions and revoke them, including a one-click sign-out of all devices.

Role-based access control (RBAC)

Access inside an organisation is governed by roles, each mapped to a defined set of permissions. Routes check the caller's permissions before doing anything, so a user only sees and touches what their role allows. This also powers procurement controls like separation of duties — for example, the person who raises a requisition cannot approve their own, enforced in the approval workflow itself.

Vendor users are a distinct principal type with their own, narrower permissions — they can bid and respond to RFQs without ever touching internal buyer data.

Two-factor authentication (2FA)

Accounts can enable time-based one-time-password (TOTP) two-factor authentication using any standard authenticator app (Google Authenticator, Authy, 1Password, and similar). It's a standards-based RFC 6238 implementation, so there's no dependency on a third-party 2FA vendor and no SMS to intercept.

Single sign-on (SSO)

For teams that centralise identity, Procupy supports optional OpenID Connect (OIDC) single sign-on. That lets you bring your existing identity provider, enforce your own password and MFA policies, and de-provision access in one place. SSO is available on Enterprise — talk to us on the contact page to set it up.

Scoped API keys

Integrations authenticate with organisation-scoped API keys rather than user credentials. Each key acts as a limited service principal, is tied to a single organisation, and can be rotated or revoked independently — so an integration never needs a human's password, and a leaked key can be cut off without disrupting anyone's login.

Audit trail

Every meaningful action — logins, role and permission changes, approvals and rejections, awards, PO and invoice events, and security events like 2FA enrolment — is written to an audit log. That gives finance and compliance teams a defensible, tamper-evident record of who did what and when, without anyone manually exporting spreadsheets at month-end. It's the same trail that makes three-way matching and approval governance stand up to an auditor.

Compliance roadmap

We're transparent about where we are: Procupy is built to be compliance-ready, and we're maturing our formal certifications as we grow.

SOC 2 — a SOC 2 programme is in progress. Enterprise customers can request our current status and, where available, supporting documentation under NDA.
DPDP-Act-aware — our data handling is designed around India's Digital Personal Data Protection Act: we collect only the data we need, are clear about why, support data-subject requests, and limit retention. See our privacy policy for the detail.
Data residency & sub-processors — we can share our hosting and sub-processor details with prospective Enterprise customers during diligence.

Responsible disclosure

Found a vulnerability? We appreciate it. Email hello@procupy.com with the details and steps to reproduce, and we'll respond promptly. Please give us a reasonable window to fix issues before any public disclosure.

Have a security questionnaire or want to dig deeper before a rollout? Get in touch and we'll walk your team through it.

Frequently asked questions

Is Procupy SOC 2 certified?

We don't claim a SOC 2 certification we don't hold. A SOC 2 programme is in progress, and Enterprise customers can request our current status and any supporting documentation under NDA. In the meantime the product ships with multi-tenant isolation, encryption in transit, RBAC, 2FA, and a full audit trail.

How is my organisation's data kept separate from other customers?

Procupy is multi-tenant. Every authenticated request carries an organisation identity, and every data query is scoped to that organisation server-side. There is no path — through the UI or the API — for one organisation to read or write another's data.

Does Procupy support two-factor authentication and SSO?

Yes. Any account can enable TOTP-based two-factor authentication using a standard authenticator app. For teams that centralise identity, optional OpenID Connect (OIDC) single sign-on is available on Enterprise so you can use your own identity provider and MFA policies.

Is data encrypted?

All traffic to and from Procupy — web, mobile, and API — is encrypted in transit over TLS (HTTPS). Session cookies are HttpOnly and scope-restricted, and refresh tokens are stored hashed rather than in plaintext.

Can I see who changed what?

Yes. Procupy writes every meaningful action — logins, approvals, awards, role changes, PO and invoice events, and security events — to an audit log, giving finance and compliance teams a defensible record of who did what and when.

Is Procupy compliant with India's DPDP Act?

Our data handling is designed around the Digital Personal Data Protection Act: we collect only what we need, are clear about why, support data-subject requests, and limit retention. Full detail is in our privacy policy.