Specific controls for sensitive invoice operations.
Invoice automation handles banking details, tax identifiers, vendor pricing, and contracts. InvoiceOps documents implemented security controls clearly and separates current capabilities from roadmap items.
Security posture
InvoiceOps applies encryption, authenticated access, tamper-resistant audit trails, and a secure development pipeline as baseline controls for financial document workflows.
Encryption in transit and at rest
TLS for all network communications. Invoice files and backups stored with AES-256 server-side encryption. OAuth integration credentials encrypted at the application layer.
Authentication and access control
Clerk-managed identity with RS256 JWT verification and JWKS rotation. Organization-scoped role-based permissions enforced on every protected request.
Tamper-resistant audit trails
Authentication, access, approval, export, billing, and integration events written to append-only records with database-level write restrictions.
Rate limiting and security headers
All endpoints are rate-limited. HSTS, Content Security Policy, anti-framing, and content-type protections enforced on every application response.
Webhook and integration security
Stripe and SendGrid webhooks verified with HMAC-SHA256 signatures. QuickBooks OAuth tokens encrypted at rest. Webhook replay prevented with event-level idempotency.
Secure development pipeline
Every deployment runs Python SAST (Bandit), dependency CVE scanning (pip-audit), and secret scanning (Gitleaks) before reaching production.
What is encrypted and where.
Encryption claims are scoped to actual storage and transport layers. InvoiceOps must decrypt invoices to extract, display, and export their contents — this is server-side encryption at rest and in transit, not client-side end-to-end encryption.
| Invoice files | AES-256 server-side encryption at Cloudflare R2 |
| Database backups | AES-256 server-side encryption at Cloudflare R2 |
| Data in transit | TLS on all API, web, and storage connections |
| OAuth tokens | AES-256 application-layer encryption (Fernet) |
| Database | TLS enforced; cloud provider at-rest encryption |
| Temporary files | In-memory or cleaned up via OS temp isolation |
Append-only records with tamper resistance.
Audit records are stored with database-level write restrictions that prevent the application from updating or deleting entries. Identity-provider events (Clerk) are separate from InvoiceOps application logs.
Encrypted backups before every deployment.
The database is backed up to Cloudflare R2 (AES-256) before each production deployment. Invoice files are stored in R2 with server-side encryption. Backup retention and restoration testing are documented in the operational runbook.
Retention, deletion, and export rights.
Free-plan invoice records are retained for 7 days. Paid-plan retention follows the subscription tier. Users can delete individual jobs or all jobs at any time through the dashboard. Invoice data shared with AI processors (Gemini API) is processed ephemerally and not retained for training. Deleted records are removed from active storage; backup expiration follows the backup retention schedule.
Who handles invoice data.
We do not sell invoice data or use it for advertising. Data is shared only with authorized subprocessors necessary to provide the service, under contractual confidentiality and data-protection obligations.
| Clerk | Identity, authentication, and session management |
| Stripe | Payment processing and subscription billing |
| Cloudflare R2 | Invoice file and backup storage |
| Supabase / Neon / RDS | Relational database hosting |
| SendGrid | Transactional email delivery |
| Google Gemini API | AI-assisted invoice field extraction (ephemeral — not retained for training) |
| Intuit / QuickBooks | Accounting sync when connected by the user |
Security contact and notification commitment.
InvoiceOps monitors infrastructure and application health continuously. In the event of a confirmed security incident, we contain, investigate, and notify affected customers within 72 hours of confirmed impact. A post-incident summary is shared with affected parties.
To report a security concern: security@invoiceops.ai
What runs in the deployment pipeline.
Every production deployment runs Python SAST (Bandit) to catch security anti-patterns, pip-audit to scan dependencies against the CVE database, and Gitleaks to detect accidentally committed secrets. Pull requests require peer review. The main branch is protected against direct pushes.