Security & Trust

Built for orgs where security
isn't optional

SpendReady connects to Salesforce with read-only OAuth. Here's exactly what we do — and don't do — with your org.

The connection

How the connection works

Three steps. Salesforce handles authentication. We handle the rest — read-only.

You authorize via OAuth

Salesforce's own login screen handles authentication. SpendReady never sees your Salesforce password.

We request minimum scopes

api, refresh_token, offline_access, openid. No write access. No data export scope.

We read, never write

LoginHistory, User, UserLicense, PermissionSetLicenseAssign, and PermissionSetLicense only. We never create, update, or delete any Salesforce record.

Data scope

What leaves your org

The scope of what we access is narrow and deliberate.

What we read

User list (name, email, last login, license type)
Login timestamps and login type
License pool counts
Permission set license assignments

What we never touch

Opportunity / Account / Contact / Case data
Custom objects
Attachments / files
Financial records
Any record outside user/license objects

Credential storage

How credentials are stored

Encrypted at rest

OAuth tokens encrypted via Supabase Vault (AES-256, pgsodium-managed keys).

Never plaintext

Tokens are never stored in plaintext, never logged, and never sent to third parties.

Per-tenant isolation

One connection cannot access another org's tokens — enforced at the database layer.

Row-Level Security

RLS at the database layer — your data rows are only accessible to your account.

Data isolation

All audit data tied to your account via RLS

No cross-tenant sharing

Hosted on AWS us-east-1 (Supabase / PostgreSQL)

Roadmap

What we're working toward

Security is a continuous practice, not a checkbox. Here's what's next.

SOC 2 Type II

Planned

AppExchange Security Review

Salesforce's independent ISV security certification

In progress

Static IP egress

For orgs with strict allowlists