Privacy that survives procurement review
This page is a buyer-facing summary. Your legal team will receive a full Privacy Policy and Data Processing Agreement (DPA) as part of enterprise contracting.
- TLS 1.2+In transit
- Tenant isolationPer-client workspaces
- BackupsDaily snapshots (Enterprise)
- SOC 2Type II, roadmap
What we process
Spendda processes files and metadata you upload (for example vendor lines, payroll extracts) to generate analytics, alerts, and reports. We do not sell personal data or use it to train public foundation models without a separate agreement.
Where data lives
Pilot deployments may use regional defaults you choose during onboarding. Production deployments target EU or US hosting with tenant-scoped storage and row-level security in the database layer.
Subprocessors
Infrastructure and authentication providers (for example cloud hosting and identity) are listed in the Trust Center. Customers may request a current subprocessor register and notification process as part of a Data Processing Agreement.
Your rights & contacts
For access, correction, export, or deletion requests, contact privacy@spendda.com (placeholder). Enterprise customers route requests through their designated admin and your DPA.
Data retention
Logged-in administrators can set a default retention window for workspace artifacts in App settings → Data retention. Enterprise plans support legal holds, export-before-delete, and automated purge jobs aligned to your policy.