Skip to main content
Invoset

Security

How we protect customer data

We are an early-stage company and we are honest about it. This page documents the security controls we have in place today and the certifications we plan to add as we grow.

Effective
May 7, 2026
Last updated
May 7, 2026

Architecture overview

Invoset is built on managed infrastructure operated by reputable providers. The customer-facing application runs on Vercel. The scanning backend and worker queue run on Render. Customer data, authentication, and report storage are managed by Supabase (Postgres, Auth, Object Storage).

All inter-service traffic is over TLS. Public endpoints serve only HTTPS. Production environments are isolated from development and staging.

Authentication and access control

  • Email and password sign-in handled by Supabase Auth, which uses bcrypt-style password hashing
  • Optional single sign-on for business plans (planned)
  • Row-level security policies enforce that customers can only read and write data they own
  • Service role keys are scoped to backend services, never exposed to the browser
  • Internal access to production data is limited to founding personnel and logged

Data protection

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest applied by underlying managed services
  • Sensitive secrets (Stripe keys, scanner credentials, OpenAI API keys) stored only in encrypted environment variables on the host platform
  • No customer payment card data ever transits or is stored on our servers; Stripe handles card capture and tokenization end to end

Scan data handling

  • Pages we crawl are stored in compressed form for the duration needed to generate a report
  • Findings and remediation logs are retained for the life of the customer's account plus seven years to support evidence-of-effort needs
  • Customers may request earlier deletion via a privacy request
  • We do not sell or share scan data with third parties for advertising

Compliance roadmap

We do not currently hold SOC 2 Type II or ISO 27001 certification. We expect to begin a SOC 2 Type I engagement in 2026 Q4 or when an enterprise customer requires it, whichever comes first. ISO 27001 is on the roadmap for 2027.

Incident response

  • Security alerts and infrastructure events are monitored continuously
  • Material incidents that affect customer data are disclosed to affected customers within 72 hours
  • Post-incident reports are shared with the affected accounts and updated as remediation completes

Reporting a vulnerability

If you believe you have found a security vulnerability in Invoset, email security@invoset.com with as much detail as possible (steps to reproduce, environment, and your contact information). We do not run a paid bug bounty program at this stage, but we acknowledge serious reports promptly, fix critical issues within a reasonable timeframe, and credit responsible reporters in our changelog if they wish.

Customer responsibility

Security is a shared model. We ask customers to:

  • Use a unique password and enable any available second factor
  • Limit access to the dashboard to people inside the organization
  • Notify us immediately at hello@invoset.com if an account is suspected to be compromised