Skip to main content

Privacy & Data Safety

At SpendNexus, we understand that your SaaS spend data is highly sensitive. We have built our architecture to ensure maximum privacy and security for every organization.

Data Isolation

SpendNexus uses a strict multi-tenant architecture.
  • Organization Scoping: Every piece of data—subscriptions, members, notes, and alerts—is scoped to a unique organization_id.
  • Backend Enforcement: Our API uses mandatory middleware to ensure that a user can only access data belonging to an organization they are a member of.
  • No Cross-Org Data: It is technically impossible for data from one organization to be leaked into another through standard application flows.

Security Controls

Encryption at Rest

All database records and file attachments (Invoices/Contracts) are encrypted at rest using industry-standard AES-256 encryption.

Audit Logging

For teams on the Growth and Scale plans, SpendNexus maintains a comprehensive audit log of all organizational changes, including:
  • Membership changes (Invites, Roles, Removals).
  • Subscription creations and deletions.
  • Security configuration changes (Slack connections, Webhook setups).

GDPR Compliance

SpendNexus is designed with GDPR principles in mind:
  • Right to Access: You can export your entire organization’s data at any time in CSV format.
  • Right to Erasure: Soft-deleted data is marked for permanent deletion after 30 days, or you can request immediate hard-deletion of your organization.

Responsible Access

We recommend the following security best practices for your team:
  1. Use SSO: If your plan supports it, use your corporate identities for authentication.
  2. Review Roles Periodically: Ensure only the necessary people have “Owner” or “Admin” roles.
  3. Regular Audits: Use the Audit Feed on your dashboard to review recent team activity.