SpendCraft is built to handle the spend data your finance and procurement teams rely on. This page describes how that data is secured, how it's accessed, and how it's isolated. Written for security reviewers, not marketing audiences.
Last updated: May 2026
SpendCraft is a self service spend classification and analytics platform. The product ingests transaction level spend data, including invoices, purchase orders, expenses, and vendor records, and structures it for classification and analysis.
The data we handle is financial in character. The security posture reflects that.
Our approach rests on four principles:
Primary cloud provider: Microsoft Azure
Default deployment region: United States
Multi region deployment: Available on request for enterprise customers.
Alternative cloud provider deployment: Available on request. SpendCraft can be deployed on other major cloud providers for customers with specific infrastructure requirements.
Data residency: Enterprise customers may request data residency in specific geographic regions. Contact sales to discuss requirements.
In Transit
All data transmitted between clients and SpendCraft is encrypted using TLS 1.3. Older protocol versions are not supported.
At Rest
All customer data stored by SpendCraft is encrypted at rest using AES 256. This applies to primary data stores, backups, and any intermediate storage.
Key Management
Encryption keys are managed by SpendCraft using Azure native key management infrastructure. Keys are rotated on a defined schedule.
SpendCraft operates on a multitenant architecture with database level isolation per customer.
Each customer workspace has a dedicated database. Data is not stored in a shared schema partitioned by customer ID. Isolation is structural, enforced at the database layer, not the application layer.
Queries cannot cross tenant boundaries. There is no path, intentional or accidental, by which one customer's data can be accessed through another customer's workspace.
Raw transaction data is not pooled for model training, cross tenant benchmarking, or aggregate analytics without explicit customer approval.
Customer data does not train SpendCraft's proprietary AI models unless the customer has explicitly approved this in writing.
Customer side access control
Access within SpendCraft is governed by role based permissions at the module level. Each product module (Classification, Savings Scans, Supplier Radar, Ask Crafter, Analytics) carries independent read and write roles.
Customer administrators manage their own users, roles, and access assignments directly within the platform.
SpendCraft staff access
SpendCraft staff do not have standing access to customer data.
Access to customer data by SpendCraft personnel for support, investigation, or incident response requires explicit written approval from the customer before access is granted.
All access events are logged with timestamp, user identity, and scope. Logs are retained and available for customer review on request.
Single Sign On (SSO): Supported. SpendCraft integrates with major identity providers including Okta, Azure Active Directory, and Google. SSO configuration is available on all plans.
Multi Factor Authentication (MFA): Supported and recommended for all users. MFA can be enforced at the organization level by customer administrators.
Session management: Sessions are time limited. Inactive sessions are terminated automatically.
Default data retention: 30 days for transient and intermediate data. Classified spend data is retained for the duration of the customer's active subscription.
Post termination deletion: Customer data is permanently deleted within 30 days of contract termination. No data is retained beyond this window for any operational purpose.
Deletion method: Hard deletion. SpendCraft does not use soft deletion or archival flagging. Deleted data is not recoverable.
Backup retention: Backups are retained for a rolling 30 day window and are permanently deleted on expiry.
Deletion requests: Customers may request early deletion of their data at any time. Deletion will be completed within the 30 day window.
SpendCraft uses a limited number of subprocessors. These are listed below with the data they access.
| Subprocessor | Purpose | Data accessed |
|---|---|---|
| Microsoft Azure | Cloud infrastructure and hosting | All customer data (encrypted at rest) |
| Stripe | Payment processing | Customer billing and payment information only. Stripe does not access spend data or transaction records. |
| Fivetran | Data pipeline and movement | Facilitates data ingestion from customer source systems. Fivetran does not have access to classified spend data within SpendCraft. |
SpendCraft will notify customers of material changes to this subprocessor list with reasonable advance notice. Enterprise customers may request notification terms in their agreement.
Penetration testing: SpendCraft conducts independent third party penetration testing on an annual basis. Results are reviewed by engineering leadership and remediation is tracked to closure.
Test reports are available to enterprise customers under NDA on request.
Vulnerability response SLA: Critical vulnerabilities are assessed and remediated within 48 hours of confirmation.
Bug bounty program: SpendCraft does not currently operate a public bug bounty program. Security issues may be reported through responsible disclosure (see Section 11).
Patch management: Security patches for critical and high severity findings are applied on an expedited basis outside the standard release cycle.
SpendCraft maintains a documented incident response process covering:
Customer notification: In the event of a confirmed security incident involving customer data, SpendCraft will notify the customer's designated point of contact within 72 hours of confirmation.
Notification is made directly to the customer point of contact on record. Enterprise customers may specify notification contacts and escalation procedures in their agreement.
SpendCraft welcomes responsible disclosure of security issues.
To report a potential vulnerability, contact the SpendCraft team directly through the contact form at spendcraft.com/contact and mark the subject as a security disclosure.
Please include:
SpendCraft does not pursue legal action against researchers who disclose security issues in good faith and follow responsible disclosure practice. We commit to acknowledging receipt within 5 business days and providing a remediation timeline for confirmed findings.
SpendCraft has completed SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria.
The full audit report is available to enterprise customers and qualified prospects under a signed Non Disclosure Agreement.
To request the report: contact your SpendCraft account representative or reach us through spendcraft.com/contact.
SpendCraft's AI systems are designed and operated in alignment with the AI Risk Management Framework (AIRMF). This covers the governance, transparency, and accountability practices applied to SpendCraft's proprietary AI classification engine.
SpendCraft's AI does not make autonomous decisions affecting customer data without human review. All AI generated outputs are inspectable and traceable to source data.
SpendCraft is currently pursuing ISO 27001 certification. Expected completion will be communicated to customers when a target date is confirmed.
For security related questions, NDA requests for the SOC 2 report, or enterprise security review inquiries:
Security & Compliance Inquiries
For enterprise customers, your account representative is your primary point of contact for security review materials.
Data Processing Agreement (DPA) and subprocessor list are available to qualified prospects and customers under NDA. Contact your account representative or reach us at spendcraft.com/contact.
Related pages