Supply Index

Your supplier will never see your prices.

Individual clinic pricing data is never shared with suppliers, other clinics, or any third party in identifiable form.

Security at Supply Index

Encryption

  • In transit: All data transmitted over TLS 1.3. No unencrypted connections accepted.
  • At rest: Invoice files stored on Cloudflare R2 with AES-256 encryption at rest.
  • Database: Neon Postgres with encryption at rest and TLS-only connections.

Anonymisation

  • All benchmark data is aggregated across a minimum of 5 clinics and 20 data points before being visible to any user.
  • No benchmark is ever shown that could allow inference of an individual clinic's pricing.
  • Supplier accounts see only aggregate trends — never individual clinic names or prices.

Invoice Storage

  • Invoice files are uploaded directly to Cloudflare R2 via presigned URLs — they never pass through our application server.
  • Each invoice is stored under a clinic-specific prefix: invoices/{clinic_id}/{uuid}.ext
  • Invoice files are automatically deleted 24 months after upload.
  • Extracted pricing data is retained in anonymised form only.

Access Controls

  • Role-based access: clinic owners, admins, and suppliers have strictly separated permissions.
  • Clinic owners see only their own data and aggregated benchmarks.
  • Suppliers see only aggregate data for their own products — never across competitors.
  • Admins review invoices for verification only — they do not access benchmark data for commercial purposes.

Audit Logging

  • Every query that accesses pricing data is logged to an immutable audit trail.
  • Audit logs include: user ID, clinic ID, action type, resource accessed, timestamp, and IP address.
  • Logs are retained for 36 months and are available for compliance review.

Fraud Prevention

  • VAT number validation on submitted invoices.
  • Duplicate invoice detection (same supplier + date + amount).
  • Invoice age verification (must be within 60 days).
  • All invoices reviewed by trained administrators before data enters benchmarks.
  • Automated confidence scoring — low-confidence extractions always require manual review.

Infrastructure

  • Hosted on Vercel with automatic DDoS protection.
  • Database on Neon with point-in-time recovery.
  • File storage on Cloudflare R2 with 11 nines durability.
  • Error monitoring via Sentry for rapid incident response.

Responsible Disclosure

If you discover a security vulnerability, please email security@supplyindex.io. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours. We do not pursue legal action against good-faith security researchers.