Security

Invoiccy handles money. We treat your data and your credentials with the same care we'd want from a bank.

Payment credentials

Your Stripe / Paystack / Flutterwave secret keys are encrypted with AES-256-GCM before being written to the database. Decryption only happens in-memory inside the API when initiating a charge or verifying a webhook signature.

Multi-tenant isolation

Every business-data table is scoped to a workspace. Every query filters on workspace ID, enforced by a server-side preHandler hook before any route handler runs. We test this isolation as part of every release.

Reporting an issue

Found a security bug? Email security@invoiccy.com and we'll get back to you within 48 hours. Please don't open a public issue or post to social before we've had a chance to fix it.