Hello, sign in Account New here? Create account Basket 0
Home Research Data Security
Security & Data Protection

How BundleIQ Protects Your Procurement Data

BundleIQ Research·Published April 2026·Technical Guide
Who this is for

This guide is written for Finance Directors, IT security reviewers, procurement professionals, and any stakeholder who needs to understand how BundleIQ handles sensitive commercial data before approving its use. It is deliberately non-technical in language while being precise about what controls exist and what they do.

What data BundleIQ holds about your organisation

When your organisation uses BundleIQ, the platform holds the following categories of data:

Data category What it includes Sensitivity
Account data Name, email, organisation, role. Contact preferences. Standard
Procurement briefs Specification documents, requirements, budget ranges, evaluation criteria. Sensitive
Supplier responses Vendor proposals, pricing, terms. Commercially sensitive to both parties. Sensitive
Contract documents Executed contracts, purchase orders, service completion notes. Sensitive
Payment data Transaction amounts and status. No card numbers stored by BundleIQ. Handled by Stripe. Stripe-managed
Pool membership data Annual spend estimates, category participation, referral codes. Standard

Where your data is stored and who can access it

Location: All data is stored in Supabase's Europe (Frankfurt) region, hosted on Amazon Web Services. No data is stored outside the EEA. Supabase holds SOC 2 Type II certification — the gold standard for cloud service security.

Access control: Row Level Security (RLS) is enforced at the database layer. An authenticated user for Organisation A cannot access Organisation A's data regardless of what the application layer does. This is not a policy — it is a database-level enforcement that no application bug can bypass.

Who at BundleIQ can see your data: Authorised BundleIQ staff can access data through the staff intranet for the purpose of managing procurement processes you have engaged us for. Access is logged. No staff member can access payment card details at any point — these are held exclusively by Stripe.

The audit trail — what gets recorded and why it matters

Every procurement action through BundleIQ creates an immutable, timestamped record. Immutable means it cannot be edited or deleted by any user — including BundleIQ staff. The audit trail exists to protect you as much as to protect BundleIQ.

What the audit trail records
Brief submitted — specification, requirements, budget, timestamp, user identity
Responses received — each supplier response with timestamp and completeness record
AI evaluation scores — objective scoring with criteria weighting, visible and defensible
Award decision — who was selected, at what price, on what date, by whom
Contract generated — document with SHA-256 checksum, signed URL, executed by named parties
Purchase order issued — auto-numbered, timestamped, linked to contract
Service completion confirmed — SCN submitted by vendor, reviewed and signed by buyer
Payment released — escrow release confirmed, transaction record including Stripe reference

Every document in this chain is stored with a SHA-256 integrity checksum. If any document is tampered with after storage, the checksum will not match and the discrepancy will be flagged. This is the standard used for legal evidence preservation.

Encryption — what it means in practice

Encryption protects data from being read by anyone who does not have the key. BundleIQ uses encryption in two contexts.

At rest — data stored in the database and document storage is encrypted using AES-256. This is the same standard used by the UK government for OFFICIAL-level data. If someone obtained a copy of the physical storage media, they would not be able to read the data without the encryption key.

In transit — all data moving between your browser or application and BundleIQ's servers is encrypted using TLS 1.2 or above. The padlock in your browser address bar confirms this is active. HTTP connections are automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enforced — your browser will not permit an unencrypted connection to BundleIQ.

Security questions or review requests

IT security review, due diligence questionnaire, DPA request, or penetration test results — contact our security team.

security@bundleiq.co.uk Security page →