Built for procurement data from day one.

SalesNext is a multi-tenant SaaS built on a hardened Postgres data plane and the SalesNextAI engine. The security-relevant shape is intentionally simple:

• The browser only ever talks to our backend or to scoped read-only data services with short-lived tokens.
• Every server endpoint re-verifies the user session and organization membership before any data access.
• Privileged service accounts that can bypass row-level policies are only used server-side and never exposed to the browser.
• Files (PDFs, attachments) live in storage buckets scoped per organization with short-lived signed URLs.
• Email content is fetched on-demand via authorized OAuth scopes and never staged outside the customer’s tenant.

The Copilot connects to Gmail or Microsoft 365 through standard OAuth flows. We request the smallest set of scopes that lets the product work — and you can narrow scope further:

• Scope to specific labels or folders. Many customers limit SalesNext to a “Suppliers” label or a dedicated procurement folder so personal mail is never in view.
• Read scope is enforced. SalesNext never reads outside the scope you authorized. We do not bulk-export mailboxes, ever.
• Send scope is delegated and policy-checked. When the Copilot drafts a reply, it sends as the user — and every outbound message clears a policy check before it leaves our servers.
• Revocable in one click. Disconnect from inside Gmail or Microsoft 365 at any time; SalesNext immediately stops fetching new email.

Every business table carries an organization identifier. Row-level security policies gate reads and writes on organization membership before any row reaches the application layer. Cross-tenant data access is structurally impossible — the database enforces the predicate, not the application.

The Procurement Memory layer is per-customer. Memory entries, supplier dossiers, parsed quotes, and audit records are scoped to your organization and encrypted with isolated keys. The only data that ever leaves your tenant is anonymized network benchmarks — and only if you explicitly opt in.

All connections use TLS 1.2 or higher end-to-end. Data at rest is encrypted with AES-256 across the database, file storage, and the Memory layer. Storage buckets use per-organization prefixes and short-lived signed URLs for file downloads.

Approver-facing links (Decision Rooms) and supplier-facing reply addresses use opaque, single-purpose tokens that are validated server-side, scoped to a single recipient, and expire when the relevant RFQ closes.

Every meaningful action lands in an append-only audit log: email parsed, quote extracted, draft generated, counter sent, autopilot policy applied, RFQ awarded, approval recorded. The log is immutable — no UPDATE or DELETE policy exists.

Organization admins can export the log at any time. Authentication events (login, password change, SSO assertion, invite accepted) are tracked separately with IP and user-agent metadata, and feed into the same export.

SalesNextAI parses RFQs, supplier quotes, and email threads, and produces the drafts and scoring you see in the product. Four commitments hold without exception:

• We do not train shared models on your data, ever.
• SalesNextAI does not retain prompt or completion content beyond the request lifecycle, except inside your own audit log.
• Every AI input and output is recorded in your organization’s audit log so you can review what the model was asked and what it returned.
• Autopilot, when enabled, can only act within the bounds you set per RFQ. Every outbound message clears a policy check that verifies the action is in-policy before it leaves our servers.

You can disable AI features organization-wide from settings. Quote intake, comparison, and approvals continue to function — you simply lose the drafting, scoring, and autopilot shortcuts.

Every AI suggestion in SalesNext shows its work. A buyer can see which prior threads informed a draft, which historical prices anchored a counter, and which supplier performance signals shifted a score. The reasoning trail is part of the audit log and is exportable.

We do not ship silent AI edits. Drafts never become actions without an explicit user policy or a deliberate human click.

• GDPR-ready data subject tooling (export, delete)Ready
• Data Processing Addendum (DPA) on requestReady
• SOC 2 Type IIn progress
• SOC 2 Type IIPlanned 2026
• ISO 27001Planned 2027
• HIPAA / signed BAA (Enterprise only)On request
• Regional data residency (EU)On request