Security

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS 1.3). This ensures that your information cannot be intercepted or tampered with during transmission.

• HTTPS enforced across all services
• TLS 1.3 with strong cipher suites
• HTTP Strict Transport Security (HSTS) enabled

Encryption at Rest

Your data is encrypted when stored on our servers using AES-256 encryption, the same standard used by financial institutions and government agencies.

• Database encryption using AES-256-GCM for all sensitive data
• Encrypted file storage in our Vault with server-side encryption
• PDF documents and invoices encrypted before storage
• Encryption keys rotated regularly and stored securely

Strong Authentication

We implement robust authentication mechanisms to ensure only authorized users can access your account:

• OAuth 2.0 integration with Google for secure sign-in
• Email verification required for new accounts
• Session management with secure, HTTP-only cookies

API Security

Our API endpoints are protected with multiple layers of security:

• API key authentication with unique keys per organization
• Role-based access control (RBAC) for team members
• IP-based rate limiting to prevent abuse
• Comprehensive logging of all API access

Organization-Level Security

Control who has access to your organization's data:

• Team member roles with granular permissions (Owner, Admin, Member)
• Invitation-only team member additions
• Ability to revoke access instantly
• Audit logs for team member activities

Hosting & Infrastructure

Our infrastructure is built on industry-leading cloud providers with enterprise-grade security:

• Regular automated backups with encryption
• Geographic redundancy for data resilience
• DDoS protection and web application firewall (WAF)

Protection Against Attacks

• Cross-Site Scripting (XSS) prevention through content security policies
• Cross-Site Request Forgery (CSRF) protection with token validation
• SQL injection prevention via parameterized queries (Prisma)
• Clickjacking protection with X-Frame-Options headers
• CORS policies configured to allow only trusted origins
• Rate limiting on all endpoints to prevent abuse

File Upload Security

Our Vault feature implements strict file upload security:

• File type validation and restrictions
• File size limits enforced
• Secure storage with access control
• Generated share links with expiration and password protection

Data Isolation

Your data is isolated and protected from other users:

• Multi-tenant architecture with strict data segregation
• Organization-level data access controls enforced at the database level
• Row-level security policies preventing cross-organization data access
• Separate storage buckets for each organization's files

Privacy by Design

• We collect only the data necessary to provide our services
• Personal data is not shared with third parties except as required to deliver services
• Transparent Privacy Policy explaining data usage

Data Retention

• Data is retained only as long as necessary for business purposes
• Automated deletion of expired share links and temporary data
• Account deletion process that removes all associated data

Continuous Monitoring

• 24/7 automated monitoring of our systems
• Real-time alerting for security incidents
• Application performance monitoring to detect anomalies
• Database query monitoring for suspicious activity
• Failed login attempt tracking and blocking
• Comprehensive logging of all system activities