Invorce

Our Security Measures

Data Encryption

All data transmitted between your browser and our servers is encrypted using TLS 1.3 with modern cipher suites. Sensitive business data is encrypted at rest using AES-256-GCM authenticated encryption, providing both confidentiality and integrity protection against tampering.

Per-Business Key Isolation: Each business has a cryptographically unique 256-bit encryption key generated using a secure random number generator. Your encryption key is itself encrypted with our master key using envelope encryption, meaning database access alone cannot decrypt your data. This architecture enables future key rotation without re-encrypting all data.

Encryption Controllers & Key Management: We've built dedicated encryption controllers that handle all cryptographic operations. When data is retrieved from the database, your encrypted business key is fetched and decrypted in-memory using our master key (which is never stored in the database). This decrypted business key is then used to decrypt the actual field values. The master key exists only in application memory and secure environment variables, completely isolated from the database layer.

Key Caching: To avoid the overhead of repeated key decryption operations, we implement an in-memory cache for decrypted business keys. Once your business key is decrypted, it's held in memory for 5 minutes before being automatically purged. This means subsequent database operations within that window don't require repeated master key decryption, significantly reducing latency while maintaining security. The cache is process-local and never persisted to disk.

Encrypted at Rest: Customer and supplier PII (phone numbers, addresses, company names, tax IDs, VAT numbers), invoice and quote notes, line items, payment records, expense details, mileage logs, time entries, bank account details (account numbers, sort codes, IBAN, SWIFT/BIC), and business payment instructions.

Third-Party API Credentials: Stripe API keys, OAuth refresh tokens, and two-factor authentication TOTP secrets are encrypted using the same AES-256-GCM scheme. These credentials never appear in logs or error reports.

Password Security

Passwords are hashed using bcrypt with a high work factor before being stored. We never store plain text passwords and cannot see your password at any time.

Payment Security

We use Stripe for payment processing. Your payment card details never touch our servers - they go directly to Stripe, which is PCI-DSS Level 1 certified (the highest level of security certification).

Access Control

Role-based access control ensures team members only see what they need to see. We implement strict authorization checks on all API endpoints and data queries.

Data Isolation

Complete data isolation between businesses. Your data is separated at the database level and multiple validation layers prevent cross-business data access.

Regular Security Updates

We keep all dependencies up to date and regularly audit our codebase for security vulnerabilities. Security patches are applied promptly.

Server-Side Validation

All user input is validated and sanitized on the server. We never trust client-side validation alone and implement comprehensive checks to prevent injection attacks and data manipulation.

Infrastructure & Hosting

Invorce is hosted on secure, reliable infrastructure with:

Automatic backups with point-in-time recovery
DDoS protection and rate limiting
Monitoring and alerting for security incidents
Geographically distributed infrastructure for reliability
Regular security audits and penetration testing

Your Privacy Rights

We are committed to protecting your privacy:

We don't sell your data. Ever. Your data belongs to you.
No advertising. We don't use your data for advertising or share it with advertisers.
Minimal data collection. We only collect what's necessary to provide the service.
You control your data. Export or delete your data at any time.
GDPR compliant. We follow UK and EU data protection regulations.

For more details, see our Privacy Policy.

Reporting Security Vulnerabilities

We take security vulnerabilities seriously. If you discover a security issue, please let us know immediately so we can fix it.

How to Report

Please email security vulnerabilities to:

security@invorce.com

What to Include

Description of the vulnerability
Steps to reproduce the issue
Potential impact of the vulnerability
Any relevant screenshots or proof-of-concept code
Your contact information for follow-up

Our Commitment

We'll acknowledge your report within 48 hours
We'll keep you updated on our progress
We'll fix verified vulnerabilities as quickly as possible
We'll credit you for the discovery (if you'd like)

Please note: We ask that you not publicly disclose the vulnerability until we've had a chance to fix it. This protects our users and gives us time to patch the issue responsibly. Publically disclosing a vulnerability before it is fixed can put our users at risk. However, after a report is fixed, we welcome public disclosure and discussion, and encourage others to learn from the findings.

What We DON'T Do

✗We don't store your payment card details on our servers
✗We don't sell or share your data with third parties for marketing
✗We don't access your data unless you explicitly request support
✗We don't use your data to train AI models or for analytics beyond improving our service
✗We don't share data between different businesses on our platform

Compliance

Invorce complies with relevant data protection and security standards:

UK GDPR: We follow UK data protection regulations
Payment Card Industry (PCI): We use Stripe, which is PCI-DSS Level 1 certified
Data Protection Act 2018: Full compliance with UK data protection law

Security Questions?

If you have questions about our security practices or would like more information, please contact us:

Security concerns: