Your data is safe with VendorWeave
We built VendorWeave for regulated manufacturers — teams that answer to auditors. Security isn't an afterthought. It's foundational.
OAuth — We Never See Your Password
VendorWeave uses Google and Microsoft OAuth for email access. We receive a scoped access token — never your password. You can revoke access at any time from your Google or Microsoft account settings.
- OAuth 2.0 — industry standard
- Minimum required scopes only
- Revocable anytime from your account
Infrastructure — Vercel + Google Cloud
VendorWeave runs on Vercel's edge infrastructure with Google Sheets as the secure data layer. All data is encrypted at rest and in transit over TLS 1.3.
- TLS 1.3 in transit
- Google Cloud encryption at rest
- US-based data residency
Access Control — Tenant Isolation
Each customer's data is isolated by client ID. API routes validate session credentials on every request. No customer can access another customer's supplier data.
- Per-request session validation
- Client ID scoped data access
- No cross-tenant data leakage
Token Management — Auto-Refresh & Expiry
OAuth tokens are stored securely and automatically refreshed before expiry. Expired or revoked tokens are detected immediately and users are prompted to re-authenticate.
- Automatic token refresh
- Secure encrypted token storage
- Revocation detected in real time
Payment Security
VendorWeave uses Stripe for all payment processing. We never store or see your credit card details. Stripe is PCI DSS Level 1 certified — the highest level of payment security.
Cookies & Tracking
VendorWeave uses only essential cookies — session authentication and CSRF protection. We do not use analytics, advertising, or tracking cookies. No cookie consent banner required.
See our Privacy Policy for full details.
Found a Security Issue?
We take security reports seriously. If you've discovered a vulnerability, please contact us directly. We'll respond within 24 hours.
Report a Vulnerability