Bardo do the work to understand what was bought
Product security
Product security
Product security
We ask for read only access to your accounts payable data, including invoices and receipts, so we can build an activity level, assurance ready inventory. This page explains exactly what we ingest, how access works, and which safeguards apply.
Our ask, clear and specific
Scope, read only ingestion of
Scope, read only ingestion of
Scope, read only ingestion of
AP and GL exports
AP and GL exports
AP and GL exports
AP and GL exports
Purchase orders and supplier master
Purchase orders and supplier master
Purchase orders and supplier master
Purchase orders and supplier master
Invoices and receipts, PDF, XML, EDI, images
Invoices and receipts, PDF, XML, EDI, images
Invoices and receipts, PDF, XML, EDI, images
Invoices and receipts, PDF, XML, EDI, images
Shipment and route data where relevant
Shipment and route data where relevant
Shipment and route data where relevant
Shipment and route data where relevant
We never
We never
We never
Write to your ERP or modify data
Write to your ERP or modify data
Write to your ERP or modify data
Write to your ERP or modify data
Connect to payment rails or initiate transactions
Connect to payment rails or initiate transactions
Connect to payment rails or initiate transactions
Connect to payment rails or initiate transactions
Request HR, payroll, or customer PII beyond what appears on documents
Request HR, payroll, or customer PII beyond what appears on documents
Request HR, payroll, or customer PII beyond what appears on documents
Request HR, payroll, or customer PII beyond what appears on documents
Train third party models on your data
Train third party models on your data
Train third party models on your data
Train third party models on your data
Why we need this
Why we need this
Why we need this
Each invoice line becomes a real activity with units, supplier, route, or model. That is how we produce lower, more accurate numbers for the same scope choices and a trail auditors can follow.
Data flow and access model
Connectivity options
Connectivity options
Connectivity options
Standard ERP connectors with read only scopes
Standard ERP connectors with read only scopes
Standard ERP connectors with read only scopes
Standard ERP connectors with read only scopes
Secure file drop, SFTP or object storage
Secure file drop, SFTP or object storage
Secure file drop, SFTP or object storage
Secure file drop, SFTP or object storage
Private link or VPN with IP allow list, on request
Private link or VPN with IP allow list, on request
Private link or VPN with IP allow list, on request
Private link or VPN with IP allow list, on request
Data flow
Data flow
Data flow
Intake zone receives files or API payloads
Intake zone receives files or API payloads
Intake zone receives files or API payloads
Intake zone receives files or API payloads
Capture parses and normalises fields
Capture parses and normalises fields
Capture parses and normalises fields
Capture parses and normalises fields
Mapping converts lines to activities
Mapping converts lines to activities
Mapping converts lines to activities
Mapping converts lines to activities
Factor selection links activities to LCAs or creates a documented LCA
Factor selection links activities to LCAs or creates a documented LCA
Factor selection links activities to LCAs or creates a documented LCA
Factor selection links activities to LCAs or creates a documented LCA
Results write to the Carbon Footprint Inventory with lineage
Results write to the Carbon Footprint Inventory with lineage
Results write to the Carbon Footprint Inventory with lineage
Results write to the Carbon Footprint Inventory with lineage
Exports, APIs, and the Viewer app read from the inventory only
Exports, APIs, and the Viewer app read from the inventory only
Exports, APIs, and the Viewer app read from the inventory only
Exports, APIs, and the Viewer app read from the inventory only
Permissions
Permissions
Permissions
Read only credentials
Read only credentials
Read only credentials
Read only credentials
Least privilege service accounts
Least privilege service accounts
Least privilege service accounts
Least privilege service accounts
Time bound access tokens
Time bound access tokens
Time bound access tokens
Time bound access tokens
Quarterly access reviews with your team
Quarterly access reviews with your team
Quarterly access reviews with your team
Quarterly access reviews with your team
Core safeguards
SOC 2 Type II
in progress, target Dec 2025
SOC 2 Type II
in progress, target Dec 2025
SOC 2 Type II
SOC 2 Type II
in progress, target Dec 2025
Strict access control
SSO and RBAC, least privilege, MFA, quarterly reviews
Strict access control
SSO and RBAC, least privilege, MFA, quarterly reviews
Strict access control
Strict access control
SSO and RBAC, least privilege, MFA, quarterly reviews
EU only hosting and processing
customer specific residency on request
EU only hosting and processing
customer specific residency on request
Centralised logging and monitoring
with anomaly alerts
Centralised logging and monitoring
with anomaly alerts
Centralised logging and monitoring
Centralised logging and monitoring
with anomaly alerts
Encryption everywhere
TLS in transit, strong encryption at rest
Encryption everywhere
TLS in transit, strong encryption at rest
Encryption everywhere
Encryption everywhere
TLS in transit, strong encryption at rest
Controls mirror the Trust center.
See trust center for full detail.
Secure development and operations
Secure SDLC with reviews, dependency scanning, and environment separation
Secure SDLC with reviews, dependency scanning, and environment separation
Secure SDLC with reviews, dependency scanning, and environment separation
Secure SDLC with reviews, dependency scanning, and environment separation
Regular third party penetration testing and vulnerability scanning
Regular third party penetration testing and vulnerability scanning
Regular third party penetration testing and vulnerability scanning
Regular third party penetration testing and vulnerability scanning
Documented business continuity and disaster recovery plans
Documented business continuity and disaster recovery plans
Documented business continuity and disaster recovery plans
Documented business continuity and disaster recovery plans
Formal incident response process with timely customer notifications
Formal incident response process with timely customer notifications
Formal incident response process with timely customer notifications
Formal incident response process with timely customer notifications
GDPR compliant DPA with SCCs where applicable
GDPR compliant DPA with SCCs where applicable
GDPR compliant DPA with SCCs where applicable
GDPR compliant DPA with SCCs where applicable
Data deletion or return within 90 days of termination
Data deletion or return within 90 days of termination
Data deletion or return within 90 days of termination
Data deletion or return within 90 days of termination
Transparent subprocessor list at /security/subprocessors with change notifications
Transparent subprocessor list at /security/subprocessors with change notifications
Transparent subprocessor list at /security/subprocessors with change notifications
Transparent subprocessor list at /security/subprocessors with change notifications
AI safeguards, no provider training rights on customer data
AI safeguards, no provider training rights on customer data
AI safeguards, no provider training rights on customer data
AI safeguards, no provider training rights on customer data
Security
Human in the loop quality operations
Everything is monitored by specialists. Every corner case or uncertainty is flagged and corrected. Decisions write back to the inventory and into a training data store that improves the models.
What enters review
Capture exceptions, unreadable docs, missing fields
Capture exceptions, unreadable docs, missing fields
Capture exceptions, unreadable docs, missing fields
Capture exceptions, unreadable docs, missing fields
Mapping uncertainty, categories, units, route or model detection
Mapping uncertainty, categories, units, route or model detection
Mapping uncertainty, categories, units, route or model detection
Mapping uncertainty, categories, units, route or model detection
Factor selection conflicts and scope boundary checks
Factor selection conflicts and scope boundary checks
Factor selection conflicts and scope boundary checks
Factor selection conflicts and scope boundary checks
Generated LCAs that require assumptions
Generated LCAs that require assumptions
Generated LCAs that require assumptions
Generated LCAs that require assumptions
Controls
Role based approvals and four eyes for sensitive changes
Role based approvals and four eyes for sensitive changes
Role based approvals and four eyes for sensitive changes
Role based approvals and four eyes for sensitive changes
Immutable logs with user, time, before and after snapshots
Immutable logs with user, time, before and after snapshots
Immutable logs with user, time, before and after snapshots
Immutable logs with user, time, before and after snapshots
SLA targets, queue response within one business day, critical exception resolution within five business days
SLA targets, queue response within one business day, critical exception resolution within five business days
SLA targets, queue response within one business day, critical exception resolution within five business days
SLA targets, queue response within one business day, critical exception resolution within five business days
What you see
Queue status and change logs
Queue status and change logs
Queue status and change logs
Queue status and change logs
Uncertainty trend by category and supplier
Uncertainty trend by category and supplier
Uncertainty trend by category and supplier
Uncertainty trend by category and supplier
Factor specificity mix by ran
Factor specificity mix by ran
Factor specificity mix by ran
Factor specificity mix by ran
We ingest only fields required for activity mapping and audit
We ingest only fields required for activity mapping and audit
We ingest only fields required for activity mapping and audit
We ingest only fields required for activity mapping and audit
Optional masking of bank details and personal identifiers on documents
Optional masking of bank details and personal identifiers on documents
Optional masking of bank details and personal identifiers on documents
Optional masking of bank details and personal identifiers on documents
Field level rules for exports and APIs, hide or pseudonymise where needed
Field level rules for exports and APIs, hide or pseudonymise where needed
Field level rules for exports and APIs, hide or pseudonymise where needed
Field level rules for exports and APIs, hide or pseudonymise where needed
AI and model safeguards
Reasoning models run in controlled environments
Reasoning models run in controlled environments
Reasoning models run in controlled environments
Reasoning models run in controlled environments
No third party provider receives your data with training rights
No third party provider receives your data with training rights
No third party provider receives your data with training rights
No third party provider receives your data with training rights
Labels from human review are stored as training data, not full raw documents
Labels from human review are stored as training data, not full raw documents
Labels from human review are stored as training data, not full raw documents
Labels from human review are stored as training data, not full raw documents
New models are evaluated offline, then promoted with version notes
New models are evaluated offline, then promoted with version notes
New models are evaluated offline, then promoted with version notes
New models are evaluated offline, then promoted with version notes
What security teams ask, answered
Not spend based. Activity based with LCA per invoice line, enabled by reasoning AI. The result is source tight, comparable numbers you can use for decisions, not just reporting.
Can you guarantee read only?
Yes. We use read only scopes and ser vice accounts. We can also ingest through file drops if you prefer no API permissions.
How do you separate tenants?
Customer data is logically isolated in a multi tenant control plane with strict access checks. Dedicated environments are available on enterprise plans.
How do you prove lineage?
Ever y repor ted number links to the transaction, activity, and factor record with source, version, and uncer tainty. Auditors receive sampling links in the assurance kit.
What is your retention?
Operational copies live only for processing. Inventor y data persists for your repor ting windows and audits. Data is deleted or returned within 90 days after termination, subject to legal holds.
Do you support BYOK?
Customer managed keys are available on enterprise plans.
Can you guarantee read only?
Yes. We use read only scopes and ser vice accounts. We can also ingest through file drops if you prefer no API permissions.
How do you separate tenants?
Customer data is logically isolated in a multi tenant control plane with strict access checks. Dedicated environments are available on enterprise plans.
How do you prove lineage?
Ever y repor ted number links to the transaction, activity, and factor record with source, version, and uncer tainty. Auditors receive sampling links in the assurance kit.
What is your retention?
Operational copies live only for processing. Inventor y data persists for your repor ting windows and audits. Data is deleted or returned within 90 days after termination, subject to legal holds.
Do you support BYOK?
Customer managed keys are available on enterprise plans.
Can you guarantee read only?
Yes. We use read only scopes and ser vice accounts. We can also ingest through file drops if you prefer no API permissions.
How do you separate tenants?
Customer data is logically isolated in a multi tenant control plane with strict access checks. Dedicated environments are available on enterprise plans.
How do you prove lineage?
Ever y repor ted number links to the transaction, activity, and factor record with source, version, and uncer tainty. Auditors receive sampling links in the assurance kit.
What is your retention?
Operational copies live only for processing. Inventor y data persists for your repor ting windows and audits. Data is deleted or returned within 90 days after termination, subject to legal holds.
Do you support BYOK?
Customer managed keys are available on enterprise plans.
Can you guarantee read only?
Yes. We use read only scopes and ser vice accounts. We can also ingest through file drops if you prefer no API permissions.
How do you separate tenants?
Customer data is logically isolated in a multi tenant control plane with strict access checks. Dedicated environments are available on enterprise plans.
How do you prove lineage?
Ever y repor ted number links to the transaction, activity, and factor record with source, version, and uncer tainty. Auditors receive sampling links in the assurance kit.
What is your retention?
Operational copies live only for processing. Inventor y data persists for your repor ting windows and audits. Data is deleted or returned within 90 days after termination, subject to legal holds.
Do you support BYOK?
Customer managed keys are available on enterprise plans.
Evidence and downloads
Security overview PDF
Security overview PDF
Security overview PDF
Security overview PDF
DPA and TOMs annex
DPA and TOMs annex
DPA and TOMs annex
DPA and TOMs annex
Subprocessor list
Subprocessor list
Subprocessor list
Subprocessor list
Latest pentest executive summary
Latest pentest executive summary
Latest pentest executive summary
Latest pentest executive summary
Architecture diagram and data contracts for APIs
Architecture diagram and data contracts for APIs
Architecture diagram and data contracts for APIs
Architecture diagram and data contracts for APIs
Assurance kit sample
Assurance kit sample
Assurance kit sample
Assurance kit sample
