Security

Purchase Order Centre is designed with security and auditability in mind. We follow modern security and access-control principles, and continue to evolve our enterprise security and compliance capabilities as the platform grows.

Granular roles — Requester, HOD, Accounts, GM, Admin and Owner — apply least-privilege defaults. Every record is scoped to the Customer organisation and enforced at the database layer.

Email and password authentication with optional multi-factor authentication using TOTP authenticator apps. Sessions are issued with short-lived tokens and may be revoked by administrators.

Managed PostgreSQL with TLS in transit and encrypted storage at rest. Service-role credentials are held only on the server side and never exposed in the browser.

Organisation-level data isolation, row-level security policies and least-privilege service credentials protect Customer Data. We do not sell Customer Data and do not use it to train third-party systems.

Approval steps, status changes and key events are recorded to support traceability. Infrastructure logs are retained to support incident investigation.

Customers are responsible for managing user invitations, role assignments, enabling MFA, protecting credentials and verifying purchasing and financial data before operational use.

We welcome reports from security researchers. Please report suspected vulnerabilities to support@purchaseorderhub.com with sufficient detail to reproduce. We commit to investigating promptly and to coordinated disclosure.

For security questions or responsible disclosure, email support@purchaseorderhub.com.