Security & data statement
How Sentra handles your data in production
What Sentra does
Sentra helps construction and trades SMEs reduce payment fraud risk by monitoring selected payment-risk mailboxes, classifying invoice and payment-related emails, comparing details against verified supplier records, flagging potential fraud, and supporting human verification before payment.
What Sentra does not require
- Bank logins, passwords, or live banking access
- Confidential supplier lists during registration or enquiry forms
- Full organisation-wide mailbox access
Data handling
Platform data is stored in Supabase with per-organisation isolation and row-level security policies. Customer accounts require sign-in; API routes resolve your organisation from your profile. Contact and feedback forms collect only business contact and qualification information — not mailbox credentials.
Least-privilege email access
Microsoft 365 integration requests access only to customer-selected mailboxes (e.g. accounts@, invoices@). You can disconnect and revoke access from Settings. Raw email retention is minimised to what is needed for payment-risk assessment and audit.
Data minimisation
Sentra stores only data necessary for payment-risk assessment and audit trails. Sensitive fields such as bank account fragments are encrypted at rest.
Security roadmap
- Supabase/Postgres database — in place
- Authentication — in place
- Row-level security — in place
- Tenant isolation — in place
- Microsoft 365 integration with encrypted token storage — in place
- Multi-factor authentication (MFA)
- User-scoped database client (reduce service-role surface)
- Immutable audit logs
- Data retention controls
- Vulnerability scanning
- Penetration testing
- Cyber Essentials / ISO 27001 direction (later)
Your feedback
We welcome security and product feedback from customers. If you have concerns about data handling or access scope, contact us or use the feedback form.