How we protect your data

The minimum data needed to run a vendor-management platform: your name, email, optional phone, organization, and ZIP for matching. Vendors add their business profile, services, and photos. RFPs and messages stay between the parties involved.

We do not collect Social Security numbers, government IDs, payment card numbers, or health data. Card details go directly to Stripe (PCI DSS Level 1) — we hold only an opaque customer token.

All traffic is HTTPS. Data at rest is encrypted (AES-256). Every database table holding user data has row-level security enforced inside Postgres — a bug in our application code cannot widen access on its own. Conversations, RFPs, and saved-vendor lists are visible only to the parties involved.

Authentication runs on Supabase Auth; passwords are bcrypt-hashed and never seen by Vendor Hub. Auth emails go through a signed webhook to Resend — an unsigned request cannot trigger a sign-in or password-reset email.

We rely on a small number of vetted infrastructure vendors, each with their own security attestations:

• Vercel· hosting + edge network (US)
• Supabase· database + auth + storage (US-West)
• Stripe· payments (PCI DSS Level 1)
• Resend· transactional email (US-East)

If we discover a security incident affecting your data, we notify the affected accounts within 72 hours of confirming scope, and earlier if there's active risk. The notice covers what happened, what data was involved, what we've done about it, and what you should do (if anything). We log every admin action, sign-in, password change, and refund into an append-only audit table so we can reconstruct the timeline if asked.

SOC 2 Type II:not yet — Vendor Hub launched in 2026, and a Type II audit requires a 6+ month observation window. We plan to begin the readiness assessment after we've been live for a year. ISO 27001 and other formal certifications are on the same path.

In the meantime, we lean hard on the certifications of our subprocessors (Stripe PCI DSS Level 1, Supabase SOC 2 Type II, Vercel SOC 2 Type II), keep our own posture documented internally, and respond to security questionnaires from enterprise prospects on request.

You can access, correct, or delete your data at any time. Most edits are self-serve in your profile; for anything you can't change yourself, email privacy@getvendorhub.com. Deletion is permanent and removes your records from our database within 7 days (the time it takes our backups to roll over).

Our Privacy Policy covers the legal detail. If you have questions about how Vendor Hub handles a specific request, the privacy mailbox is the right place to start.