Security at Andora.

We treat spend, infrastructure, and identity data with the same rigor you expect from a financial system. This page outlines our current practices and principles.

Security principles

Least privilege, strong isolation boundaries, and clear auditability guide every product and infrastructure decision we make.

Data protection

All communication with Andora is encrypted in transit using TLS. Customer data is stored in hardened, access-controlled environments with strict separation between environments.

We minimize the data we store. For many providers we work only with metadata and usage signals, not raw payloads.

Access control

Internal access to production systems is tightly restricted and logged. Role-based access controls ensure that only the minimum set of people and services can access sensitive data.

Secrets & credentials

Provider credentials and API keys are stored using managed secret stores. We never commit secrets to source control, and we encourage customers to rotate keys regularly.

Compliance roadmap

As we grow, we're investing in formal certifications (SOC2, ISO 27001) and third-party audits. If you have specific compliance requirements, reach out and we can walk through our current controls.

Report a security issue

If you believe you've found a vulnerability or security-sensitive bug in Andora, please email security@useandora.com.

We take all reports seriously and will respond as quickly as possible. Please avoid sharing sensitive details in public channels.