Skip to main content
Last updated · March 30, 2026

Security

Procurement data is sensitive. We treat security as a core product requirement, not an afterthought.

Procura is a product under OnyxLabs, a brand operated by Onyx Management, LLC.

1. Data Encryption

In Transit

All data transmitted between your browser and Procura is encrypted using TLS 1.2 or higher. API communications are enforced over HTTPS with HSTS and security headers enabled. We do not support plaintext HTTP connections.

At Rest

Sensitive credentials (API keys, OAuth tokens) are encrypted at the application level using Fernet symmetric encryption with PBKDF2 key derivation. Customer data stored in our managed databases benefits from infrastructure-level encryption provided by our cloud hosting provider.

2. Infrastructure

Procura runs on managed cloud infrastructure with the following characteristics:

  • Hosted on cloud providers that maintain SOC 2 Type II certified data centers
  • Provider-managed network isolation and security groups
  • Managed database backups via our cloud hosting provider
  • Application-level rate limiting to mitigate abuse
  • Infrastructure-as-code with version-controlled deployments (Render Blueprint, Netlify)
  • Environment separation via configuration management

3. Tenant Isolation

Procura is a multi-tenant SaaS application with strict data isolation enforced at the application layer:

  • Row-level isolation: every database table includes an organization identifier, and every query is scoped to the requesting user's organization. There is no code path that returns data without a resolved user-organization binding.
  • No shared analytics or AI context: dashboards, reports, and conversational AI queries are scoped to the requesting organization. One customer's data is never accessible to, or commingled with, another customer's.
  • Audit-grade history: every cleansed spend record preserves the original source data alongside the normalized version, enabling full audit and replay without destructive transformations.
  • Per-tenant configuration: field mappings, classification rules, taxonomies, and connector credentials live in per-organization configuration rows. We do not branch product behavior by tenant.

4. Access Controls

We enforce strict access controls at every layer:

  • Application level: Role-based access control (RBAC) with category-scoped visibility ensures users only see data they are authorized to access. Category managers can be limited to specific UNSPSC L1 / L2 categories.
  • Internal access: Employee access to production systems follows the principle of least privilege, with multi-factor authentication required.
  • Production change control: all changes to production code are made via pull request with mandatory reviewer approval and automated CI checks. Direct commits to production branches are blocked.
  • Audit logging: permission changes are recorded in an immutable, append-only audit log; data-access events and per-record ingestion transformations are logged with actor, timestamp, and full lineage.
  • Session management: Secure session handling with configurable timeout policies, including per-tenant SSO session-timeout configuration.

5. Authentication

Procura supports secure authentication:

  • Secure password policies with bcrypt hashing
  • Multi-factor authentication (MFA) via TOTP-based authenticator apps
  • SSO integration via SAML 2.0, configurable per tenant (Enterprise tier)
  • API authentication via time-limited bearer tokens

6. Data Processing and AI

Your procurement data is processed by our AI classification engine with the following safeguards:

  • Data isolation: Each customer's data is logically isolated. One customer's data is never accessible to another.
  • No model training on customer data: Your data is not used to train shared AI models. Classification models are applied to your data, not trained on it.
  • AI processing disclosure: Certain AI features (spend classification, conversational analytics) transmit data to Anthropic's Claude API for processing. Anthropic's commercial API terms prohibit using customer data for model training. Users can manage AI processing consent within their account settings.
  • Retention controls: You retain full ownership of your data. Upon contract termination, data can be exported via our GDPR data export endpoint or securely deleted upon request.

7. Data Retention and Deletion

Customer data lifecycle is governed by mutual contract terms and applicable legal requirements:

  • Active retention: customer data is retained for the duration of the active contract.
  • Customer-initiated export: customers may export procurement data, reports, and analytics at any time during the contract via the application or our GDPR data export endpoint, in CSV, Excel, or PDF formats.
  • Customer-initiated deletion: customers may request account and data deletion at any time. Deletion is performed within 30 days of request unless a legal hold applies.
  • Backups: managed database backups are retained per our cloud hosting provider's standard policy and are subject to the same isolation and access controls as production data.
  • Audit and security logs: retained to support investigation and compliance review; specific retention windows are governed by our subprocessor agreements and available on request.

8. Application Security

Our development practices include:

  • Secure development lifecycle with code reviews required on all changes
  • Input validation via schema enforcement (Pydantic) and parameterized queries (SQLAlchemy ORM)
  • Automated dependency scanning via Dependabot and pip-audit in CI
  • Content Security Policy (CSP), HSTS, and other security headers on all responses
  • Global API rate limiting to prevent abuse
  • Structured error handling that does not expose implementation details to clients

9. Subprocessors

We use a small number of trusted infrastructure and AI providers to deliver Procura. We require an executed Data Processing Agreement with each subprocessor before any production customer data is processed; DPAs in force at the time of contract signature are listed and available on request.

  • Render — application hosting, managed PostgreSQL, managed Redis. Customer procurement data at rest.
  • Netlify — frontend hosting and content delivery. No customer data; static assets only.
  • Anthropic — AI classification and conversational analytics via the Claude API. Spend descriptions and analytics queries are processed under Anthropic's commercial API terms, which prohibit use of customer data for model training.
  • OpenAI — optional AI fallback when configured. Same processing scope as Anthropic.
  • PostHog — product analytics on the Procura web application. Captures user behavior on our application surfaces; does not access customer procurement data.

A current subprocessor list and copies of executed Data Processing Agreements are available on request. We notify customers of material changes to our subprocessor list with reasonable advance notice.

10. Incident Response

We are committed to transparent incident handling:

  • Customer notification within 72 hours of confirmed data breaches, in compliance with GDPR requirements
  • Post-incident review and remediation
  • Structured logging and audit trails to support investigation

11. Compliance

Procura is committed to meeting the compliance requirements expected by enterprise procurement organizations:

  • SOC 2 Type II: We are actively pursuing SOC 2 Type II certification. Our infrastructure and processes are designed to meet SOC 2 Trust Service Criteria for Security, Availability, and Confidentiality.
  • GDPR: We support data subject rights including data export (portability) and account deletion (right to erasure) via dedicated API endpoints. Users can manage AI processing consent within their account.
  • CCPA: We do not sell personal information. Users can request data export and account deletion at any time.

12. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in our services, please report it to us:

Email: legal@get-procura.ai

We ask that you:

  • Provide sufficient detail for us to reproduce and fix the issue
  • Allow reasonable time for remediation before public disclosure
  • Do not access or modify other users' data
  • Do not disrupt service availability

We commit to acknowledging receipt within 2 business days and providing an initial assessment within 5 business days.

13. Questions

For security-related inquiries, security questionnaire responses, or to request copies of our Data Processing Agreements and subprocessor list, please contact:

Procura — a product under OnyxLabs, a brand operated by Onyx Management, LLC
Email: legal@get-procura.ai

We respond to security questionnaires (CAIQ-Lite, SIG Lite, vendor-specific) within 5 business days for active commercial conversations.

For general inquiries: hello@get-procura.ai