Security
Bend is built for finance teams. This page lists the controls that are live in production, the work in progress, and what’s on the roadmap. We update it after every meaningful security change.
Authentication & access
- shippedEmail magic-link sign-in
- shippedGoogle + Microsoft Entra ID SSO
- wave 2SAML 2.0 SSO
- wave 22FA / TOTP + WebAuthn passkeys
- shippedSCIM 2.0 user provisioning
- shippedRBAC v2 (BEND_ADMIN, BEND_STAFF, CLIENT_ADMIN, CLIENT_USER, CONSUMER)
- shippedBEND_STAFF allowlist gates impersonation + admin surfaces
Auditability
- shippedAppend-only audit log of every write action
- shippedImpersonation events HMAC-signed and dual-logged (actor + target)
- shipped (this sprint)Consent ledger for every consumer opt-in / opt-out
- shipped (this sprint)Communications policy decision log
Data protection
- shippedEncryption at rest (Neon Postgres managed)
- shippedEncryption in transit (TLS 1.2+)
- shippedDocument storage via Vercel Blob (private by default)
- shippedPII redaction in error tracking (emails, dollar amounts stripped)
- shippedDaily Neon point-in-time recovery, 7 days retained
Application hardening
- shippedSSRF guard on outbound webhooks (RFC1918 / metadata IPs / DNS rebinding)
- shippedHMAC-signed signing tokens for consumer agreements
- shippedpg_advisory_xact_lock on payment-plan accept (TOCTOU)
- shippedPIN-by-email gate on consumer portal with rate limit + lockout
- shipped (this sprint)Idempotency keys on all push jobs (ERP control plane)
Compliance
- in progress — Q3 2026 targetSOC 2 Type I
- planned — Q1 2027 targetSOC 2 Type II
- wave 2GDPR / CCPA data export + delete (DSAR)
- wave 2Reg F / FDCPA timing windows for B2C tenants
- wave 3Peppol / EN 16931 e-invoicing
Subprocessors
- shippedStripe — payment processing
- shippedNeon — Postgres hosting (US East)
- shippedVercel — application + edge hosting
- shippedResend — transactional email
- shippedAnthropic — per-tenant opt-in AI features
- shippedSentry — error monitoring (PII redacted)
Reporting a vulnerability
Email security@bendpays.com with reproduction steps. We respond within 2 business days and commit to disclose under coordinated disclosure once fixed. We don’t yet run a paid bounty program — we will once SOC 2 Type I is in hand.