Skip to main content

Last updated: March 30, 2026

Security

Procurement data is sensitive. We treat security as a core product requirement, not an afterthought.

Procura is a product under OnyxLabs, a brand operated by Onyx Management, LLC.

1. Data Encryption

In Transit

All data transmitted between your browser and Procura is encrypted using TLS 1.2 or higher. API communications are enforced over HTTPS with HSTS and security headers enabled. We do not support plaintext HTTP connections.

At Rest

Sensitive credentials (API keys, OAuth tokens) are encrypted at the application level using Fernet symmetric encryption with PBKDF2 key derivation. Customer data stored in our managed databases benefits from infrastructure-level encryption provided by our cloud hosting provider.

2. Infrastructure

Procura runs on managed cloud infrastructure with the following characteristics:

  • Hosted on cloud providers that maintain SOC 2 Type II certified data centers
  • Provider-managed network isolation and security groups
  • Managed database backups via our cloud hosting provider
  • Application-level rate limiting to mitigate abuse
  • Infrastructure-as-code with version-controlled deployments (Render Blueprint, Netlify)
  • Environment separation via configuration management

3. Access Controls

We enforce strict access controls at every layer:

  • Application level: Role-based access control (RBAC) ensures users only see data they are authorized to access
  • Internal access: Employee access to production systems follows the principle of least privilege, with multi-factor authentication required
  • Audit logging: All access to customer data is logged and monitored
  • Session management: Secure session handling with configurable timeout policies

4. Authentication

Procura supports secure authentication:

  • Secure password policies with bcrypt hashing
  • Multi-factor authentication (MFA) via TOTP-based authenticator apps
  • SSO integration via SAML 2.0 and Azure AD (Enterprise tier, on roadmap)
  • API authentication via time-limited bearer tokens

5. Data Processing and AI

Your procurement data is processed by our AI classification engine with the following safeguards:

  • Data isolation: Each customer's data is logically isolated. One customer's data is never accessible to another.
  • No model training on customer data: Your data is not used to train shared AI models. Classification models are applied to your data, not trained on it.
  • AI processing disclosure: Certain AI features (spend classification, conversational analytics) transmit data to Anthropic's Claude API for processing. Anthropic's commercial API terms prohibit using customer data for model training. Users can manage AI processing consent within their account settings.
  • Retention controls: You retain full ownership of your data. Upon contract termination, data can be exported via our GDPR data export endpoint or securely deleted upon request.

6. Application Security

Our development practices include:

  • Secure development lifecycle with code reviews required on all changes
  • Input validation via schema enforcement (Pydantic) and parameterized queries (SQLAlchemy ORM)
  • Automated dependency scanning via Dependabot and pip-audit in CI
  • Content Security Policy (CSP), HSTS, and other security headers on all responses
  • Global API rate limiting to prevent abuse
  • Structured error handling that does not expose implementation details to clients

7. Incident Response

We are committed to transparent incident handling:

  • Customer notification within 72 hours of confirmed data breaches, in compliance with GDPR requirements
  • Post-incident review and remediation
  • Structured logging and audit trails to support investigation

8. Compliance

Procura is committed to meeting the compliance requirements expected by enterprise procurement organizations:

  • SOC 2 Type II: We are actively pursuing SOC 2 Type II certification. Our infrastructure and processes are designed to meet SOC 2 Trust Service Criteria for Security, Availability, and Confidentiality.
  • GDPR: We support data subject rights including data export (portability) and account deletion (right to erasure) via dedicated API endpoints. Users can manage AI processing consent within their account.
  • CCPA: We do not sell personal information. Users can request data export and account deletion at any time.

9. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in our services, please report it to us:

Email: legal@get-procura.ai

We ask that you:

  • Provide sufficient detail for us to reproduce and fix the issue
  • Allow reasonable time for remediation before public disclosure
  • Do not access or modify other users' data
  • Do not disrupt service availability

We commit to acknowledging receipt within 2 business days and providing an initial assessment within 5 business days.

10. Questions

For security-related inquiries or to request our security documentation, please contact:

Procura — a product under OnyxLabs, a brand operated by Onyx Management, LLC
Email: legal@get-procura.ai

For general inquiries: hello@get-procura.ai