Encryption everywhere
All traffic is encrypted in transit with TLS, and your Microsoft OAuth tokens are encrypted with AES-256-GCM before they're ever stored.
Security & trust
Security, privacy and compliance built in.
Source365 handles your email, your suppliers and your quote data, so control and privacy are built in, not bolted on. Here's exactly how we protect it.
EU-hosted infrastructure
Your data is stored on EU-hosted infrastructure in the EU. AI analysis runs through the vetted sub-processors listed below.
We never train on your data
Your emails, suppliers and quote data are never used to train AI models, ours or anyone else's. They're used only to run your searches.
Sign in with Microsoft
Authentication runs through Microsoft Entra ID using OAuth 2.0. We never see or store your password.
You stay in control
Nothing is sent without your review. You decide which suppliers get contacted and exactly what each outreach email says.
Delete anytime
Search session data auto-expires after 90 days. You can delete your account and data whenever you want, straight from settings.
Compliance
Standards we hold ourselves to.
We design our controls around the frameworks enterprise procurement teams expect.
GDPR-ready
Built around EU data-protection principles: lawful processing, data-subject access, correction and the right to deletion.
SOC 2 aligned
Our security controls follow SOC 2 principles across security, availability and confidentiality.
ISO 27001 practices
We follow ISO 27001-aligned information-security practices for how we manage access, risk and data.
We align our controls with these frameworks as we scale. Running a vendor security review? help@source365.io and we'll help.
Your data
What we hold, and for how long.
What we store
Your name and email from Microsoft sign-in, an encrypted OAuth token, and the procurement inquiries you choose to analyse together with the supplier results we generate.
Retention
Search session data is retained for 90 days, then automatically deleted. Account data is kept until you delete your account.
No PII in logs
Operational logs and error monitoring reference internal IDs, so we don't log email addresses or names in production.
Your rights
Request access to, correction of, or deletion of your personal data at any time by emailing help@source365.io.
Sub-processors
The vendors that power Source365.
We work with a small set of trusted providers, each scoped to a single job. We never sell or share your data beyond what's needed to run the service.
Microsoft Entra ID: Authentication and email sending via Microsoft Graph.
OpenAI: AI-powered email analysis and supplier search.
Mistral AI: OCR text extraction from scanned PDF attachments.
Serper: Web search API used to discover suppliers.
Stripe: Payment processing. We never store card numbers.
Resend: Transactional email delivery (welcome, usage alerts).
Sentry: Error monitoring. No personal data is logged.
Supabase: EU-hosted PostgreSQL database.
Upstash Redis: Caching and encrypted session/token storage.
Inngest: Background jobs (follow-ups, reply checks, reports).
Vercel: Application hosting and delivery.
Questions
Security, answered.
Do you use my emails to train AI models?
No. Your emails, suppliers and quotes are never used to train AI models, ours or any third party's. They're processed only to run the searches you request.
Where is my data stored?
In an EU-hosted PostgreSQL database on Supabase. Traffic is encrypted in transit with TLS, and OAuth tokens are encrypted at rest with AES-256-GCM.
Do you store my Microsoft password?
No. Sign-in goes through Microsoft Entra ID using OAuth 2.0, so we never see or store your password, only a revocable access token.
Can I delete my data?
Yes. Search sessions auto-expire after 90 days, and you can delete your account and data anytime from settings or by emailing help@source365.io.
Are you SOC 2 or ISO 27001 certified?
We align our controls with SOC 2 and ISO 27001 principles and are GDPR-ready. Running a vendor security review? Contact help@source365.io and we'll help.
Talk to us about security
Need a security questionnaire completed, or have a question about how we handle your data? We reply within one business day.
Legal
Read our Privacy Policy and Terms of Service.