Your spend data, secured and auditable at every layer
Ensurva handles sensitive vendor and cost data. We encrypt everything, enforce least-privilege access, and log every action — so your spend insights stay protected from day one.
Security fundamentals
Three controls protecting your financial and vendor data on every request, every record, and every integration.
Encryption everywhere
TLS 1.2+ encrypts cost data in transit. AES-256 encrypts spend records at rest. No exceptions.
Least-privilege access
OAuth scopes request only the vendor and spend data Ensurva needs. Users see only what their role permits.
Automated key rotation
Secrets and API credentials rotate on a fixed schedule. No manual intervention required.
Role-based spend control
Control who can approve spend, change vendors, and access cost data. Every API endpoint enforces permissions server-side. No client-side-only checks.
- Three standard roles: Admin, Manager, Viewer
- Granular permissions per module — restrict who sees cost data
- Server-side enforcement on every endpoint
- Invitation-only tenant membership
Tenant isolation
Each organisation's spend data lives in a logically separated environment with enforced boundaries. Automated tests validate isolation on every deploy.
Immutable audit logging for cost governance
- Spend approvals and vendor change decisions
- Cost data access and export events
- Integration events — connect, sync, disconnect
- Workflow transitions, escalations, and spend accountability actions
- Retained for a minimum of two years
Availability and recovery
Clear targets, no weasel words.
99.9%
Uptime target
15 min
Recovery point objective (RPO)
1 hour
Recovery time objective (RTO)
Compliance readiness that reduces cost
- SOC 2 readiness controls from day one — less rework, lower audit costs
- GDPR-ready data handling and export
- CCPA-ready privacy controls
- WCAG 2.1 AA accessibility
We build with SOC 2 controls from the start so compliance does not become an expensive afterthought. Request our security pack for the full breakdown.