Security & Data Protection

How Bundle IQ protects your data

Procurement data is sensitive data. Spend information, supplier relationships, contract terms, and payment details are commercially valuable and operationally critical. This page documents Bundle IQ's security architecture honestly — what controls are in place, what is on the roadmap, and what the pathway to government-grade security looks like.

Active
Encryption at rest & in transit
AES-256 encryption at rest (Supabase/AWS). TLS 1.2+ for all data in transit. No unencrypted data paths.
Active
Row Level Security
Every database table has RLS policies. Users can only access their own data. Enforced at the database layer.
Active
UK data residency
All data stored in Supabase Europe (Frankfurt). No data leaves the EEA. GDPR Article 44 transfers not applicable.
Active
Document integrity
SHA-256 checksums on every stored document. Signed time-limited download URLs. Immutable audit trail from brief to payment.
Active
PCI DSS scope reduction
Stripe handles all payment card data. Bundle IQ never stores, processes, or transmits raw card numbers. Stripe is PCI DSS Level 1 certified.
In progress
Cyber Essentials
Application in preparation. Required for UK government contracts above £25,000. Target certification Q3 2026.
🔐
Technical security controls

Bundle IQ is built on Supabase (hosted on AWS) with the following technical controls active from day one.

AES-256 encryption at rest
All data stored in Supabase is encrypted at rest using AES-256. AWS RDS encrypted volumes. Supabase Storage encrypted with S3-managed keys.
TLS 1.2+ in transit
All client-to-server communication is encrypted using TLS 1.2 minimum. TLS 1.3 used where supported. HTTP Strict Transport Security (HSTS) enforced.
Row Level Security (RLS)
Every table in the Bundle IQ database has RLS policies. Data access is enforced at the database layer — application-layer bugs cannot bypass it. Authenticated users can only access their own organisational data.
JWT authentication
All API requests are authenticated using signed JWTs with configurable expiry. Supabase Auth manages token lifecycle, refresh, and revocation.
Isolated Edge Functions
All server-side logic runs in isolated Deno environments (Supabase Edge Functions). No shared execution context between tenants. Environment variables never exposed to client.
Document integrity (SHA-256)
Every document stored through Bundle IQ (contracts, POs, SCNs, certificates) receives a SHA-256 integrity checksum at storage time. Checksums are recorded in the document registry and verified on retrieval.
Signed download URLs
All document downloads are served via time-limited signed URLs. URLs expire after a configurable period (default: 1 hour). Direct storage access is blocked.
Payment isolation (Stripe)
IQ Protection escrow is managed through Stripe. Bundle IQ never stores, processes, or transmits raw card data. Stripe is PCI DSS Level 1 certified. Bundle IQ's PCI scope is limited to SAQ-A.
UK data residency
Supabase project hosted in the Europe (Frankfurt) region. All personal data and commercially sensitive procurement data remains within the EEA. No cross-border transfers under GDPR Article 44.
Immutable audit trail
Every procurement action generates an immutable timestamped record: brief submission, vendor evaluation, contract award, PO generation, SCN submission, escrow release. Records cannot be altered or deleted by any user.
📋
Data protection & GDPR

Bundle IQ processes personal data as both a data controller (for user accounts and platform interactions) and a data processor (where clients use IQ On-Site to process their own procurement data). The following controls are in place.

ICO registration
Bundle IQ Limited is registered as a data controller with the Information Commissioner's Office (ICO). Registration number available on request.
Data Processing Agreements
DPAs in place with all sub-processors: Supabase (database and storage), Stripe (payments), Resend (email delivery), Cloudflare (CDN and DNS). Available on request.
Privacy by design
Data minimisation applied throughout — only data necessary for the platform function is collected and stored. Retention periods defined per data category. Right to erasure implemented.
Lawful basis documented
Lawful basis identified and documented for all processing activities. Primarily legitimate interests (platform operation) and contract performance (procurement services). Consent used where required.
🛡️
Vendor verification security

The Bundle IQ vendor verification system queries seven free UK government APIs to produce a composite risk score for every vendor on the platform. The security of this process is as follows.

API calls via Edge Functions only
All external API calls (Companies House, Gas Safe, etc.) are made from Supabase Edge Functions. API keys are stored as environment variables and never exposed to the client.
Sanctions screening auto-suspend
Any vendor matching the OFSI UK consolidated sanctions list is automatically suspended from the platform. No human approval step required. Matches trigger immediate alert to the Bundle IQ compliance queue.
Verification data access control
Raw verification API responses are stored in Supabase with RLS policies. Vendors can read their own verification status. Buyers see only the RAG summary (Green/Amber/Red). Full detail is intranet-only.
Certificate upload security
Vendor certificate uploads go to a private Supabase Storage bucket. Files are scanned for type validity. OCR extraction happens server-side. No uploaded files are served without a signed URL.
🏛️
Government security pathway

UK government contracts require vendors to demonstrate security posture appropriate to the sensitivity of the data handled. The UK Government Security Classification (GSC) policy defines three tiers: OFFICIAL, OFFICIAL-SENSITIVE, and SECRET. Most government procurement data sits at OFFICIAL or OFFICIAL-SENSITIVE. Bundle IQ's current posture and the roadmap to OFFICIAL-SENSITIVE capability is as follows.

Now
OFFICIAL baseline — current posture
AES-256 encryption, TLS 1.2+, RLS, UK data residency, immutable audit trail, Stripe PCI compliance, JWT authentication, isolated execution environments. Supabase/AWS infrastructure is SOC 2 Type II certified and meets NCSC Cloud Security Principles for OFFICIAL data. Suitable for OFFICIAL-level procurement data with appropriate contractual controls.
Q3 2026
Cyber Essentials certification
Five technical controls: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. Externally verified. Required for all UK government contracts above £25,000. Cost approximately £300–500. Certifying body: IASME Consortium.
Q4 2026
Cyber Essentials Plus
Cyber Essentials with independent hands-on technical verification. Required for contracts involving personal data or OFFICIAL-SENSITIVE information. Includes vulnerability scanning and configuration review. Cost approximately £1,500–3,000.
Year 2
ISO 27001 certification
International standard for information security management systems. Required for Crown Commercial Service framework agreements and higher-value government contracts. Comprehensive scope covering people, processes, and technology. 14 control domains, 114 controls. Certification body: BSI or equivalent. Cost £15,000–30,000 for a small organisation.
Year 2
OFFICIAL-SENSITIVE data handling capability
Formal DPIA for sensitive processing, mandatory MFA for all staff, joiners/movers/leavers process documented and audited, penetration test report (CREST-accredited tester), named data controller, enhanced sub-processor security assessments. Enables handling of government data classified OFFICIAL-SENSITIVE.
Year 3
DSPN / NHS Digital Security and Protection Toolkit
Required for NHS and social care data processing. Annual self-assessment against 100+ standards covering data security, staff training, system resilience, and information governance. Enables care sector and NHS supply chain work at volume.
🔍
Responsible disclosure

If you discover a security vulnerability in Bundle IQ, we ask that you report it to us before disclosing it publicly. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.

Report a security issue
Email: security@bundleiq.co.uk
Please include: description of the vulnerability, steps to reproduce, potential impact, and your contact details.
We do not currently offer a formal bug bounty programme but recognise all valid reports and will credit researchers who consent to attribution.
This page was last reviewed April 2026. Security posture is updated as controls are implemented. For a current security questionnaire or to discuss specific requirements, contact security@bundleiq.co.uk.