Invorce

Security

How we keep your data safe and secure

Security is at the core of everything we do at Invorce. We understand that you're trusting us with sensitive business and financial data. We take that responsibility seriously and implement industry-standard security measures to protect your information.

Our Commitment to Transparency

On this page, we're sharing more technical details about our security practices and infrastructure than most companies typically disclose. We believe in transparency and want you to have full confidence in how we protect your data. We're intentionally being open about our tech stack and security measures to build trust with you.

Our Security Measures

Data Encryption

All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS). Critical sensitive data is encrypted at rest in our databases using industry-standard AES-256 encryption.

Encrypted at rest: HMRC access tokens, API credentials, Stripe account details, two-factor authentication secrets, and other sensitive authentication data are encrypted in our database using AES-256-GCM encryption with securely managed keys.

Password Security

Passwords are hashed using bcrypt with a high work factor before being stored. We never store plain text passwords and cannot see your password at any time.

Payment Security

We use Stripe for payment processing. Your payment card details never touch our servers - they go directly to Stripe, which is PCI-DSS Level 1 certified (the highest level of security certification).

HMRC Integration Security

Our HMRC integration uses OAuth 2.0 authentication with secure token storage. We only access the HMRC data you explicitly authorize and follow all HMRC security guidelines.

Access Control

Role-based access control ensures team members only see what they need to see. We implement strict authorization checks on all API endpoints and data queries.

Data Isolation

Complete data isolation between businesses. Your data is separated at the database level and multiple validation layers prevent cross-business data access.

Regular Security Updates

We keep all dependencies up to date and regularly audit our codebase for security vulnerabilities. Security patches are applied promptly.

Server-Side Validation

All user input is validated and sanitized on the server. We never trust client-side validation alone and implement comprehensive checks to prevent injection attacks and data manipulation.

Infrastructure & Hosting

Invorce is hosted on secure, reliable infrastructure with:

  • Automatic backups with point-in-time recovery
  • DDoS protection and rate limiting
  • Monitoring and alerting for security incidents
  • Geographically distributed infrastructure for reliability
  • Regular security audits and penetration testing

Your Privacy Rights

We are committed to protecting your privacy:

  • We don't sell your data. Ever. Your data belongs to you.
  • No advertising. We don't use your data for advertising or share it with advertisers.
  • Minimal data collection. We only collect what's necessary to provide the service.
  • You control your data. Export or delete your data at any time.
  • GDPR compliant. We follow UK and EU data protection regulations.

For more details, see our Privacy Policy.

Reporting Security Vulnerabilities

We take security vulnerabilities seriously. If you discover a security issue, please let us know immediately so we can fix it.

How to Report

Please email security vulnerabilities to:

security@invorce.com

What to Include

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any relevant screenshots or proof-of-concept code
  • Your contact information for follow-up

Our Commitment

  • We'll acknowledge your report within 48 hours
  • We'll keep you updated on our progress
  • We'll fix verified vulnerabilities as quickly as possible
  • We'll credit you for the discovery (if you'd like)

Please note: We ask that you not publicly disclose the vulnerability until we've had a chance to fix it. This protects our users and gives us time to patch the issue responsibly. Publically disclosing a vulnerability before it is fixed can put our users at risk. However, after a report is fixed, we welcome public disclosure and discussion, and encourage others to learn from the findings.

HMRC Integration & Fraud Prevention

As an authorized Making Tax Digital (MTD) software provider, we work directly with HMRC to provide secure tax submission services. We take our responsibility to HMRC and the integrity of the UK tax system seriously.

Put simply (and not at all in legal or formal terms), if we fuck up, that's on us, and we will take full responsibility for that. But if you submit false information, either on purpose or not, that's on you, and Invorce bears no responsibility for that.

Fraud Prevention Information

In accordance with HMRC requirements, we collect and submit fraud prevention information with all HMRC submissions. This includes device information, IP addresses, and connection details that help HMRC detect and prevent fraudulent activity.

User Responsibility & Legal Compliance

Important Legal Notice:

  • You are solely responsible for the accuracy and legality of all information submitted to HMRC through Invorce.
  • Any fraudulent submissions, false information, or tax evasion attempts are entirely the legal responsibility of the user.
  • Invorce is a tool to facilitate legitimate tax submissions - we do not verify the accuracy of your figures or advise on tax matters.
  • We cooperate fully with HMRC and law enforcement investigations into suspected fraud or illegal activity.
  • We log all HMRC submissions and retain records as required by law.

By using Invorce's HMRC integration, you agree that you are using the service for legitimate purposes only and that you will comply with all applicable tax laws and regulations.

What We DON'T Do

  • We don't store your payment card details on our servers
  • We don't sell or share your data with third parties for marketing
  • We don't access your data unless you explicitly request support
  • We don't use your data to train AI models or for analytics beyond improving our service
  • We don't share data between different businesses on our platform

Compliance

Invorce complies with relevant data protection and security standards:

  • UK GDPR: We follow UK data protection regulations
  • Making Tax Digital (MTD): Our HMRC integration is fully MTD compliant
  • Payment Card Industry (PCI): We use Stripe, which is PCI-DSS Level 1 certified
  • Data Protection Act 2018: Full compliance with UK data protection law

Security Questions?

If you have questions about our security practices or would like more information, please contact us:

Security concerns:

security@invorce.com

General questions:

hello@invorce.com
← Back to Home
Privacy PolicyTerms of Service
Invorce - Everything UK businesses need