Security & Trust

Designed so you never have to trust us blindly

Finance teams process tens of millions of dollars through Solvce. These are the architectural decisions that make that possible without asking you to simply take our word for it.

Verified commitment

Your business data stays private and is never used to train AI models.

Every invoice, purchase order, vendor name, GL code, and price tolerance you enter exists solely to provide the service to your account. It is not sold, used for advertising, or used to train AI models.

How it works

Six principles, built in from day one

🚫

Your business data is never used for AI training

Every document you process — invoices, purchase orders, delivery receipts — is used exclusively to provide the service to your account. Your business data stays private and is never used to train AI models.

🏗️

Secure tenant isolation by default

Solvce separates each customer workspace with tenant isolation, database-level controls, role-based access, and audit trails. Dedicated enterprise environments are available.

🔐

Documents are processed only to provide the service

When you upload an invoice or delivery receipt, Solvce processes it only to extract, match, route, and audit your AP workflow. Your business data is not sold, shared for advertising, or used to train AI models.

🔑

ERP credentials stored in a dedicated vault

Connection credentials for your accounting system are stored in a secrets vault — separate from the application layer. They are never written to logs, never visible in configuration files, and never accessible to Solvce staff in plain text. Access is scoped, audited, and revocable.

🪪

Access enforced at the database level, not just the application

Row-level security policies on every table mean that even if application code had a logic error, the database would reject any query that crossed account boundaries. There is no single point of failure in our access control — it is enforced at multiple independent layers.

📋

Every action is permanently logged

Every field extraction, every override, every approval, every login, and every API call generates an immutable audit record. The log cannot be edited or deleted — not by your team, and not by ours. It is available in full for export at any time for compliance or audit purposes.

Architecture

What the security looks like under the hood

Plain descriptions. No marketing language.

Authentication

Identity managed by an enterprise-grade auth provider — no passwords stored in application code

Every session carries a cryptographically signed token verified on each request

Multi-factor authentication available on all plans

Session tokens expire automatically; refresh is rate-limited

Data isolation

Secure tenant isolation by default

Database-level controls, role-based access, and audit trails

Dedicated enterprise environments available

Tenant identity is bound to the authorised organisation context

Document handling

Documents uploaded to a private, isolated storage bucket — not publicly addressable

AI-assisted extraction is used only to provide the service

Documents are not stored indefinitely — retention periods are configurable

Document content never appears in logs or error traces

ERP & integrations

OAuth available for selected connectors

Sensitive connector credentials handled through secure configuration paths

Token refresh is automated; revocation propagates immediately

Integration scope is read + write on AP-specific objects only — not full ERP access

Network & infrastructure

All traffic encrypted in transit via TLS 1.2 minimum

Data encrypted at rest using platform-managed keys

API endpoints rate-limited and protected against common attack patterns

Multi-tenant application with secure tenant isolation by default

Audit & compliance

Immutable audit log for every user action, AI decision, and system event

Audit log exportable as CSV at any time — no support ticket required

Approval chains and override records meet SOX documentation requirements

Data stored in Australia (Sydney) by default — additional regions available for Enterprise on request

Common questions

Straight answers. No legal hedging.

Can Solvce employees see my invoices?

No. Support access to production data requires explicit customer consent, a time-limited session, and generates an audit record. Routine support does not involve access to document content.

Does Solvce use my data to improve its AI?

Never. Your data — documents, extracted fields, overrides, vendor names, amounts — is used solely to provide the service. It is not used to train AI models.

What happens to my data if I cancel?

Your data remains accessible for 30 days post-cancellation for export. After that, it is permanently deleted from all systems including backups, within 90 days. We will confirm deletion in writing on request.

Is my database shared with other customers?

Solvce uses secure tenant isolation by default, with dedicated enterprise environments available. Customer data stays separated with database-level controls, role-based access, and audit trails.

Where is data stored?

By default, in Australia (Sydney region). Enterprise customers can discuss additional region options — contact hello@solvce.com.

Do you have a Data Processing Agreement (DPA)?

Yes. A standard DPA is available for all customers. Enterprise customers can request a custom DPA. Contact hello@solvce.com.

Have a specific security requirement?

Enterprise customers can request a custom DPA, SOC 2 summary, or a security questionnaire review.

Contact security team View plans