How we keep your data safe.
Last updated 27 April 2026. The honest picture of where we are today — what's in place, and what we're still working on.
Encryption
All traffic to Spendyard is served over HTTPS (TLS 1.2 or higher). Your workspace data is encrypted at rest by our infrastructure providers using AES-256. Authentication tokens and secrets never touch our application logs.
Authentication
Sign-in is handled by Clerk, which supports email magic links, passwords, social sign-on, and multi-factor authentication. Sessions are short-lived JWTs bound to your device. We never see or store your password.
Authorization
Every API call is checked against your Clerk session and your workspace membership before any data is read or written. A user can only see and modify the workspaces they belong to — this is enforced server-side in Convex, not in the client.
Infrastructure
Application data lives in Convex, which hosts our database and backend functions on managed cloud infrastructure with automated backups. The frontend is a static build served from a CDN. We don't run our own servers.
Sub-processors
A small, deliberate list of vendors processes data on our behalf — Clerk, Convex, Resend, and Anthropic. The full list with what each one does lives in our privacy policy. We update it before adding any new processor.
Access controls
Production access is limited to a small set of engineers who need it. Administrative actions are logged. All employee accounts on internal tools require multi-factor authentication and disk encryption on the device.
Data retention and deletion
You can delete your workspace from settings at any time. After deletion we keep a short backup window (currently up to 30 days) so you can recover from accidental loss, after which the data is permanently removed from our systems and our processors'.
Reporting a vulnerability
If you find a security issue, please email hello@spendyard.com with details and reproduction steps. We aim to acknowledge reports within two business days. Please don't publicly disclose an issue before we've had a reasonable chance to fix it — we're a small team and we'll work with you in good faith.
What we don't have yet
We want to be straight about the gaps. Spendyard is early — we don't yet hold SOC 2, ISO 27001, or other formal compliance attestations. We haven't commissioned a third-party penetration test. If your procurement process requires those, tell us at hello@spendyard.com — we'll share where it sits on our roadmap and how we can help bridge the gap in the meantime.