Security & Data Protection

How Bundle IQ Protects Your Procurement Data

Bundle IQ Research·Published April 2026·Technical Guide

Who this is for

This guide is written for Finance Directors, IT security reviewers, procurement professionals, and any stakeholder who needs to understand how Bundle IQ handles sensitive commercial data before approving its use. It is deliberately non-technical in language while being precise about what controls exist and what they do.

What data Bundle IQ holds about your organisation

When your organisation uses Bundle IQ, the platform holds the following categories of data:

Data category	What it includes	Sensitivity
Account data	Name, email, organisation, role. Contact preferences.	Standard
Procurement briefs	Specification documents, requirements, budget ranges, evaluation criteria.	Sensitive
Supplier responses	Vendor proposals, pricing, terms. Commercially sensitive to both parties.	Sensitive
Contract documents	Executed contracts, purchase orders, service completion notes.	Sensitive
Payment data	Transaction amounts and status. No card numbers stored by Bundle IQ. Handled by Stripe.	Stripe-managed
Pool membership data	Annual spend estimates, category participation, referral codes.	Standard

Where your data is stored and who can access it

Location: All data is stored in Supabase's Europe (Frankfurt) region, hosted on Amazon Web Services. No data is stored outside the EEA. Supabase holds SOC 2 Type II certification — the gold standard for cloud service security.

Access control: Row Level Security (RLS) is enforced at the database layer. An authenticated user for Organisation A cannot access Organisation A's data regardless of what the application layer does. This is not a policy — it is a database-level enforcement that no application bug can bypass.

Who at Bundle IQ can see your data: Authorised Bundle IQ staff can access data through the staff intranet for the purpose of managing procurement processes you have engaged us for. Access is logged. No staff member can access payment card details at any point — these are held exclusively by Stripe.

The audit trail — what gets recorded and why it matters

Every procurement action through Bundle IQ creates an immutable, timestamped record. Immutable means it cannot be edited or deleted by any user — including Bundle IQ staff. The audit trail exists to protect you as much as to protect Bundle IQ.

What the audit trail records

Brief submitted — specification, requirements, budget, timestamp, user identity

Responses received — each supplier response with timestamp and completeness record

AI evaluation scores — objective scoring with criteria weighting, visible and defensible

Award decision — who was selected, at what price, on what date, by whom

Contract generated — document with SHA-256 checksum, signed URL, executed by named parties

Purchase order issued — auto-numbered, timestamped, linked to contract

Service completion confirmed — SCN submitted by vendor, reviewed and signed by buyer

Payment released — escrow release confirmed, transaction record including Stripe reference

Every document in this chain is stored with a SHA-256 integrity checksum. If any document is tampered with after storage, the checksum will not match and the discrepancy will be flagged. This is the standard used for legal evidence preservation.

Encryption — what it means in practice

Encryption protects data from being read by anyone who does not have the key. Bundle IQ uses encryption in two contexts.

At rest — data stored in the database and document storage is encrypted using AES-256. This is the same standard used by the UK government for OFFICIAL-level data. If someone obtained a copy of the physical storage media, they would not be able to read the data without the encryption key.

In transit — all data moving between your browser or application and Bundle IQ's servers is encrypted using TLS 1.2 or above. The padlock in your browser address bar confirms this is active. HTTP connections are automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enforced — your browser will not permit an unencrypted connection to Bundle IQ.

Security questions or review requests

IT security review, due diligence questionnaire, DPA request, or penetration test results — contact our security team.

security@bundleiq.co.uk Security page →