ProcureFlow is built for governed, audit-ready procurement, and security is enforced by design — not bolted on. This page summarises our posture; enterprise customers can request our full security documentation.
Every customer's data is isolated at the database tier using PostgreSQL row-level security (forced RLS), so one customer can never see another's data.
Role-based access control with separation of duties, and time-based one-time-password (TOTP) multi-factor authentication stepped up on sensitive financial actions such as payouts and approvals.
Encryption in transit (TLS) and at rest. Secrets are held in a managed secret store, never in the database.
An immutable, append-only audit trail records the actor, IP and timestamp of every action. Maker–checker segregation is enforced on financial flows.
Core platform and customer data are hosted in India (AWS, Mumbai — ap-south-1). Limited personal data (email addresses / notification content) is processed by our email providers, which may operate outside India, as permitted under the DPDP Act.
We maintain a documented incident-response process aligned to the CERT-In Directions (2022), including a 6-hour reporting runbook, and the breach-notification duties of the DPDP Act, 2023.
Found a security issue? Please email security@procureflow.in. We appreciate responsible disclosure and will respond promptly.