Security

How SupplyPO protects your QuickBooks data and account.

Authentication

SupplyPO never asks for your QuickBooks username or password. We connect exclusively through Intuit's official OAuth 2.0 authorization protocol — the same standard used by banks and major enterprise software.

• ✓You approve the connection directly on Intuit's own login page — SupplyPO never sees your credentials
• ✓OAuth tokens (not passwords) are used to access your QuickBooks data on your behalf
• ✓You can revoke SupplyPO's access at any time from your QuickBooks Connected Apps settings
• ✓CSRF (Cross-Site Request Forgery) protection is enforced on every OAuth callback using cryptographically signed state tokens
• ✓Authorization codes are single-use and expire within minutes

Data Encryption

Sensitive data is encrypted before it ever reaches our database.

• ✓OAuth access tokens and refresh tokens are encrypted at rest using AES-128 (Fernet symmetric encryption) — they are never stored in plaintext
• ✓Encryption keys are stored separately from the database in environment-level secrets, not in source code
• ✓All data transmission between your browser, our servers, and QuickBooks occurs over HTTPS/TLS — never unencrypted HTTP
• ✓Our database (Neon PostgreSQL) encrypts data at rest at the infrastructure level, independent of our application-level encryption

What Data We Access

SupplyPO requests the minimum QuickBooks API scope required to perform conversions: com.intuit.quickbooks.accounting.

• ✓We read Estimates, Items, and Vendors to identify the vendor split
• ✓We write Purchase Orders to your QuickBooks account on your request
• ✓We do not read or store your QuickBooks financial reports, bank accounts, payroll data, or customer payment information
• ✓We do not continuously monitor your QuickBooks account — data is only accessed when you initiate a conversion
• ✓We do not sell, share, or use your QuickBooks data for any purpose other than performing the conversion you requested

Infrastructure Security

SupplyPO is built on infrastructure with strong security track records:

• ✓Database: Neon (neon.tech) — SOC 2 Type II certified PostgreSQL hosting with encryption at rest and in transit
• ✓Frontend: Vercel — SOC 2 Type II certified, global edge network, automatic HTTPS
• ✓Backend API: Railway — isolated containerized deployment with no shared infrastructure
• ✓QuickBooks API: Intuit — PCI DSS, SOC 2, and ISO 27001 certified infrastructure

Access Controls

• ✓QuickBooks company data is scoped to the realm (company ID) — one user cannot access another company's data
• ✓No SupplyPO employee has routine access to your QuickBooks data; access requires explicit engineering intervention with logging
• ✓Database credentials, API keys, and encryption keys are stored in environment secrets — never in source code or version control
• ✓Our source code does not contain any hardcoded credentials

Vulnerability Disclosure

We take security reports seriously. If you discover a security vulnerability inSupplyPO, please report it responsibly:

Please do not publicly disclose security vulnerabilities until we have had reasonable time to investigate and address them. We appreciate responsible disclosure and will acknowledge your contribution.

Intuit Platform Security

SupplyPO is built on Intuit's QuickBooks Online API and adheres to Intuit's security requirements for third-party applications:

• ✓OAuth 2.0 Authorization Code flow — no implicit grant
• ✓Mandatory reconnect endpoint for expired token recovery
• ✓Immediate connection revocation on user disconnect request
• ✓No storage of QuickBooks user passwords at any point