Summit SpendSummit Spend

Security You Can Trust

Your financial data deserves the highest level of protection. Summit Spend is built with security at every layer — from encryption and access controls to audit logging and compliance.

Encryption at Rest & In Transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL/TLS encryption. Receipt images and attachments are stored in encrypted cloud storage.

Bank-Grade Financial Security

Bank connections are handled by Plaid, which maintains SOC 2 Type II compliance and uses bank-level encryption. Your bank credentials are never stored by Summit Spend — they're held exclusively by Plaid.

Role-Based Access Control

Granular RBAC with three built-in roles (Admin, Manager, Member) and support for custom roles with fine-grained permissions. Administrators control exactly who can view, edit, approve, and export data.

Audit Logging

Every action is tracked in a comprehensive audit log — who did what, when, and from where. Audit logs are immutable, searchable, and exportable for compliance reviews.

Infrastructure Security

Hosted on Vercel (SOC 2 compliant) with Supabase (SOC 2 Type II) for database and authentication. All infrastructure runs in isolated environments with automatic security patches.

Secure Integrations

Sage Intacct integration uses OAuth 2.0 with scoped permissions. Plaid connections use OAuth-based bank linking. Stripe card issuance follows PCI DSS compliance standards. No credentials are stored in our database.

Security Practices

Multi-Factor Authentication

Support for MFA on all accounts via Supabase Auth

Session Management

Automatic session expiration and refresh token rotation

Row-Level Security

Database-level tenant isolation ensures organizations can never access each other's data

Input Validation

Server-side validation with Zod schemas on all inputs to prevent injection attacks

Dependency Scanning

Automated vulnerability scanning of all third-party packages

Secure Defaults

New accounts default to the most restrictive permission set

Data Residency & Compliance

US

Data hosted in US regions with SOC 2 compliant infrastructure

7 years

Financial record retention for regulatory compliance

30 days

Data export window after account termination

Questions about security?

Our team is happy to discuss our security practices in detail.

Contact Security Team Visit Support