Security overview

SourcingPick handles financial and personal data: factory KYC, bank details, invoices, buyer credentials. We built the platform with security as a first-class constraint without claiming an ISO 27001 or SOC 2 certification we haven't earned.

This page is a candid read: what's in place technically, what's in place around governance, and what's on the roadmap. It's updated whenever something material changes — the version below reflects the state as of {{lastUpdated}}.

If you represent an enterprise buyer or compliance team and need deeper material (DPIA, RIA, SIG Lite, etc.), email security@sourcingpick.com.

Role isolation — every protected path passes through a requireRole() guard plus org-membership checks. No path trusts the proxy alone.

Audit log — every sensitive action (KYC, payment, auction edit, pre-tender rejection) writes an AuditLog row with actor, payload and level (INFO/WARN/ALERT). Retained indefinitely in DB.

Authentication — Auth.js v5 with bcrypt passwords, optional TOTP OTP, forwarder magic-link (#15). Sessions use signed HTTP-only tokens, SameSite=Lax.

Payments — Wise Business escrow (sole rail since 2026-06). Wise webhooks are RSA-signed, persisted in WebhookEvent, and replayable from the admin UI. Idempotency on providerRef stops double-settlement.

Attachments — typed (image/video/audio/file), per-context cap, mime sniffed at upload. Forwarder magic links carry TTL + revoke controls.

Factory-price confidentiality — the platform margin and the factory price are never exposed to the buyer (two-tier quote shape).

Hosting in Europe (Paris / Frankfurt depending on stack tier). Data encrypted at rest via the provider's disk layer; DB connections over TLS.

Personal data falls under GDPR: we act as controller for user accounts (client, factory, agent, admin) and as processor for content exchanged between buyers and factories.

Primary sub-processors: Wise Business (payments), our hosting provider, our transactional email provider. The detailed list is available on request to security@sourcingpick.com.

Not yet ISO 27001 or SOC 2 certified. Our target is a SOC 2 Type 1 audit within 12 months of v1 launch.

Incident reporting: security@sourcingpick.com. We commit to a response within 24 business hours and notification of affected individuals within GDPR's 72-hour window where applicable.

Informal bug bounty: no dedicated platform yet — disclose vulnerabilities responsibly to security@sourcingpick.com and we'll engage in good faith.

ISMS authoring kicked off; SOC 2 pre-audit prep in flight.

Annual external penetration tests — first pass scheduled for 2026-Q4.

Secret rotation policy + centralised credentials vault (HashiCorp Vault or equivalent).

ISO 27001 Statement of Applicability — drafting to anchor enterprise procurement questionnaires.