Benchside
Product

By role

Procurement leaders

Erase the vendor's information advantage.

CIOs & technology

See architecture lock-in before you sign.

CFOs & finance

Know the true cost before it's signed.

Legal & GC

Redline from a position of strength.

Security & CISOs

Vet the vendor's risk before it's yours.

AI & LLM buyers

Evaluate AI vendors the old playbook misses.

SMBs & small teams

Enterprise-grade, right-sized to your deal.

See the full platform →
GuidesFrameworksSecurityPricing
Sign inStart free
Benchside

Buyer-side deal intelligence. Scope before vendors, interrogate after. Agents that work every deal from $5K to $5M+.

hello@benchside.ai

Product

  • The agents
  • What you get
  • Word redline export
  • Pricing

Solutions

  • Procurement leaders
  • CIOs & technology
  • CFOs & finance
  • Legal & GC
  • Security & CISOs
  • AI & LLM buyers
  • SMBs & small teams

Resources

  • Guides
  • TCO calculator
  • Learn
  • Compare
  • Frameworks
  • FAQ
  • Security
  • Trust Center
  • Status

© 2026 Benchside. All rights reserved.

SupportPrivacyTerms

Legal & Trust

Security Overview

Last updated: June 2026

This page describes the controls that are live today and the ones we are actively working toward. We have kept it honest: where something is in progress, we say so, rather than implying a certification we do not yet hold.

01Tenant isolation

Every organization’s data is isolated at the database layer using row-level security. Access is scoped to the caller’s organization on every query, so one customer cannot read or write another customer’s data. This is enforced in the database, not only in application code.

02Encryption

Data is encrypted in transit using TLS and at rest by our infrastructure providers. OAuth tokens for third-party integrations are additionally encrypted at the application layer with AES-256-GCM, and encryption keys are never written to logs.

03Access control

Role-based access control (admin, member, viewer) governs what each user can do, enforced on the server. Production access is restricted to authorized personnel and is logged. Multi-factor authentication and enterprise single sign-on are on the near-term roadmap (see status below).

04Audit logging

Security-relevant actions are recorded to an append-only audit log with the actor, timestamp, and source IP address. Administrators can review account activity, and audit export is available to enterprise customers.

05Application hardening

Standing controls in the application include:

  • Content Security Policy, HSTS, and clickjacking protection on all responses.
  • Rate limiting on sensitive endpoints, with expensive operations failing closed.
  • Request size limits and input sanitization, including defenses against prompt injection.
  • Signed, replay-protected payment webhooks.
  • Structured logging that never records secrets, tokens, or stack traces in production output.

06Monitoring and response

Errors and anomalies are captured through our monitoring provider. We maintain a health endpoint for uptime monitoring and are building out alerting and a public status page.

07Compliance status (honest)

  • SOC 2 Type II: in progress. We are implementing the controls and will begin the observation window before claiming certification.
  • GDPR / CCPA: we support data export and deletion requests and align our practices to these regulations.
  • Enterprise SSO (SAML / OIDC), SCIM, and enforced MFA: on the active roadmap; not yet generally available.

We will update this section as controls move from in-progress to live. If you have a security questionnaire, send it to security@benchside.ai and we will complete it accurately.

08Reporting a vulnerability

We welcome responsible disclosure. Email security@benchside.ai with details and steps to reproduce. Please do not test against production data belonging to other customers.

Questions about this page? Email privacy@benchside.ai. For security disclosures, email security@benchside.ai.