Legal

Security

Practices overviewUpdated 6 July 2026 · Formal measures: DPA Annex 1

DFBL Procure holds your procurement data: suppliers, prices, contracts, savings. This page describes how we protect it, in plain language. The contractual version of these measures lives in our Data Processing Agreement (Annex 1), which we sign with every customer.

1. Access & identity

  • Passwords require 12+ characters with complexity rules, and are stored hashed (bcrypt). Reset is self-service.
  • Two-factor authentication (TOTP) is available to every user and can be made mandatory for all administrators of your organisation. We enable this enforcement at onboarding on request.
  • Login endpoints are rate-limited against brute force. Session lifetime is configurable per organisation.
  • Server-side role-based access control (admin, manager, member, read-only) plus per-project permissions. Every permission check runs on the server, never only in the browser.

2. Tenant isolation & audit

  • Every customer organisation is isolated at the data-access layer: a middleware scopes every database model to your organisation on every query. Isolation is systematic, not re-implemented screen by screen.
  • A full audit log records who did what and when. It is retained 12 months and exportable from the app.
  • Deletions are soft and traced with a reason — nothing disappears silently.

3. Documents & data handling

  • Contract and invoice PDFs are not stored. The app extracts the data it needs (dates, prices, line items), then the file is discarded. Less stored data means less exposure.
  • You can export all your organisation's data in one click (GDPR portability), at any time.
  • On contract termination, your data is returned then deleted within the window defined in the Terms.

4. AI and your data

  • AI features run through API keys held server-side by DFBL. Your users never handle AI credentials.
  • We use commercial APIs (Anthropic, Google, Perplexity) under their business terms: API data is not used to train their models.
  • Each AI call is metered. Usage caps and a per-organisation kill switch let us stop AI processing for your organisation at any time.
  • AI failures and usage are logged and reviewed — the models in use are health-checked daily.

5. Infrastructure

  • Hosted in the European Union. TLS 1.2+ on every connection.
  • Application and database run in a private network behind a reverse proxy; the database is not reachable from the internet.
  • Strict HTTP security headers (Content-Security-Policy, HSTS, and related).
  • Daily database backups with a 7-day rolling window, plus an automatic backup before every deployment.
  • Centralised error monitoring and a public status page.

6. Compliance & roadmap

  • We sign a GDPR Article 28 Data Processing Agreement with every customer. Sub-processors and their purposes are listed in its Annex 2.
  • Dependency audits run continuously; High/Critical CVEs are patched within 30 days.
  • What we do not claim: DFBL Procure is not ISO 27001 or SOC 2 certified today. Our controls follow those frameworks; certification is planned as we grow.
  • On the security roadmap: single sign-on (SAML / OIDC) and an external penetration test. Customers who require them help us prioritise.

7. Security reviews

We answer security questionnaires and take review calls with your security team — usually within a few business days. Write to legal@dfbl-solution.com.