Security you can audit, not just trust.
Here’s how ProcuHelp actually protects your data: tenant isolation at the database level, EU-resident infrastructure, encrypted at rest and in transit, secrets in a vault instead of environment variables. This page describes what we do, not what we wish we did.
How your data is actually protected
Encryption is table stakes. The harder problem is isolation between customers, secret management, and recovery if something goes wrong. Here’s how we handle each.
Encrypted everywhere it sits
All data is encrypted in transit and at rest. Connections between your browser, our application, and our database use TLS. Stored data, including databases and backups, is encrypted with AES-256.
Tenant isolation, enforced in the database
Customer data is logically isolated per organisation at the database level. Every query carries the organisation scope; the database refuses to return rows that don’t belong to the requesting account. This isn’t handled by application code we hope is bug-free; it’s enforced where the data lives.
Daily backups, tested
Automated backups run daily and are retained on encrypted storage separate from the primary database. Restoring a backup isn’t a paper exercise: we test restore paths periodically so we know they work before we need them.
Secrets in a vault, not in code
API keys, OAuth tokens, and other sensitive credentials are stored in an encrypted secret store, accessed at runtime only by the services that need them. No secret is ever returned to the frontend or written into source code, environment variables, or logs.
Who gets in, and how
Every login is authenticated, every action is attributed, and every privileged operation is logged. The status badges below show what’s available today and what’s on request for Enterprise plans.
Single sign-on via Microsoft Entra ID
Federate authentication with your existing Microsoft tenant. User provisioning, deprovisioning, and group-based access mapping all flow through your identity provider, so your existing access policies apply to ProcuHelp without extra configuration.
SAML 2.0 for other identity providers
For Enterprise customers using identity providers other than Microsoft, we configure SAML 2.0 SSO on request. The integration ties into your existing access policies, password rules, and lifecycle management.
Multi-factor authentication, opt-in for every user
Any user can enable time-based MFA from their account settings. For organisations that use SSO, MFA is enforced by your identity provider, which is the right place for it; we honour whatever policy your IdP applies.
Audit logging, append-only
Every privileged action, approval, contract change, supplier invitation, and admin operation is recorded with the actor, the timestamp, and the context. Logs are append-only and exportable for your own retention and audit purposes.
Role-based access, least privilege by default
User accounts in ProcuHelp are scoped to specific roles (admin, approver, requester, read-only). New users start with the minimum role needed, and admins can adjust later. Our own production access is even more restricted: limited to a small number of named individuals, time-bound, and logged.
Built for European privacy law
ProcuHelp B.V. is a Dutch company processing your data under EU GDPR. The platform is built to keep personal data inside the EU, minimise what we collect, and give you the tools to handle data subject requests when they come in.
We act as a data processor on your behalf for the procurement data you put into ProcuHelp. A standard GDPR-compliant Data Processing Agreement is available and signed before you go live. The agreement names our subprocessors, defines our security commitments, and sets out the procedures for handling data subject requests, breach notification, and audit rights.
If you have specific privacy questions, contact privacy@procuhelp.com. For data subject access requests submitted on behalf of your end users, your admin has tools in the platform to export or delete a user’s data directly.
How we keep the platform itself secure
Controls on customer data are necessary but not sufficient. The platform that processes that data has to be secure as a system: dependencies kept current, attack surface monitored, and a structured review process that doesn’t depend on heroics.
Structured review, on a schedule
We run a 31-section internal security review aligned to OWASP Top 10, OWASP API Security Top 10, and OWASP LLM Top 10. The review covers authentication, authorisation, input validation, secrets management, dependency hygiene, AI surface area, and operational hygiene. Findings get triaged into a remediation backlog.
Always-on monitoring
Application and infrastructure logs are collected centrally. Abnormal patterns (failed authentications, unusual traffic, error spikes) generate alerts to the on-call engineer. Access to logs is itself logged; reading the audit trail is a recorded event.
Browser protections enforced at the edge
A strict Content Security Policy, plus standard hardening headers (HSTS, X-Frame-Options, Referrer-Policy), are enforced on every response. Web application firewall protections sit in front of our public endpoints, filtering known malicious traffic before it reaches our application.
Dependencies stay current
The codebase has automated vulnerability scanning on every dependency change. Critical and high CVEs trigger an immediate patch cycle; lower-severity issues get batched into our regular release schedule. We don’t ship dependencies we haven’t scanned.
If you find something
We welcome reports from security researchers and customers who find vulnerabilities in ProcuHelp. If you find something, tell us first, and we’ll work with you to fix it before it becomes a problem for anyone else.
What we ask:
- Report to security@procuhelp.com with enough detail for us to reproduce.
- Give us a reasonable chance to fix the issue before disclosing it publicly.
- Don’t access, modify, or delete other customers’ data while testing.
- Avoid testing that would degrade service for other users (no DoS, no spam).
What you get back: we’ll acknowledge your report within 2 business days, keep you informed as we investigate, and credit you in our changelog if you’d like that. We don’t currently run a paid bug bounty, but we appreciate the work and treat reporters professionally.
Reach the security team directly
Want the detail?
This page covers the principles and controls. For procurement teams, IT security teams, and CISOs who need to verify before signing, we maintain a 22-page security overview that goes deeper: architecture, threat model, access matrix, subprocessor list, retention policy, incident response procedure, and the full output of our latest internal review.
We share it under a standard NDA. Request access below and we’ll send it within one business day.
- Architecture & data flowp. 03
- Threat modelp. 06
- Access matrix & authp. 09
- Subprocessorsp. 12
- Retention & deletionp. 14
- Incident responsep. 16
- Self-audit findingsp. 19
Security is a conversation
If your procurement or IT security team has questions this page doesn’t answer, get in touch. We’ll either answer directly or share the 22-page security overview under NDA.