Security

How we protect your invoice data

The concrete technical and organizational controls behind the Service, written in plain language. Every claim on this page maps to production code or a named sub-processor.

TLS enforced

No data sold

Per-workspace isolation

US-hosted

Transport Security

All connections use enforced HTTPS/TLS. No unencrypted connections are accepted at any endpoint.

TLS enforced on all API and web endpoints

HSTS headers with strict transport security

Session cookies are Secure, HttpOnly, and SameSite

Credential Storage

API keys are hashed with SHA-256 before storage. We never store plaintext credentials. ERP integration tokens (QuickBooks Online, Xero, Zoho Books) are encrypted at rest using Fernet symmetric encryption with a server-held key.

API keys hashed with SHA-256 — never stored in plain text

QuickBooks, Xero & Zoho OAuth tokens Fernet-encrypted at rest

Full API key shown only once at creation

Data Isolation

Each workspace's invoice data is scoped at the query layer. No cross-tenant access path exists. Files are stored per-workspace in Cloudflare R2 (US region) and extracted data is scoped per-workspace in our Postgres database.

Per-workspace query scoping — no cross-tenant reads

Files stored in Cloudflare R2 (US region), scoped per workspace

Postgres on Railway (US region), per-workspace row filtering

Access Controls

Four-tier role-based access control across all features: Owner, Admin, Member, and Read-only. Permissions are enforced at the API layer, not just in the UI. Every significant action is logged.

Owner, Admin, Member, and Read-only roles

API-layer permission enforcement — not just UI gating

Audit log on all significant actions

Data Retention

You choose how long we retain your original uploaded files: 7 years (recommended, IRS-aligned), 3 years, 1 year, or Permanent. Extracted data is retained for the life of your account. Expired files are hard-deleted by automated retention jobs.

7 years / 3 years / 1 year / Permanent — user-configurable

Hard delete on expiry — no soft-delete shadow

Scheduled retention cleanup jobs enforce the chosen window

Infrastructure Security

CSRF mitigation via Origin/Referer validation on all state-changing requests. Per-user rate limiting on upload endpoints. Security headers enforced on every response.

CSRF protection via Origin/Referer validation

Per-user rate limiting on upload endpoints

X-Frame-Options, X-Content-Type-Options, CSP headers

Seen in the product

Every control on this page is a visible setting — not a marketing claim.

Retention windows, four-tier role-based access, and a full audit trail of every significant action. Procurement and compliance reviews can verify each one inside a trial workspace.

File retention

Choose 7 years (IRS-recommended), 3 years, 1 year, or Permanent. Extracted data is always retained; original files are hard-deleted on expiry.

InvoiceParser Pro Team panel with role dropdown open showing Admin (full access), Member (can process and export), and Read-only (view only)

Four-tier RBAC

Owner, Admin, Member, and Read-only. Permissions are enforced at the API layer — not just UI gating.

Audit log

Every significant action — uploads, exports, team and client changes — is logged with user, timestamp, and context. Exportable to CSV.

Sub-processors

Every service that touches your data

Named by role, with the region they operate in. All core infrastructure is hosted in the United States. See our Privacy Policy for the full disclosure including what each provider does with your data.

Provider	Role	Region
Azure Document Intelligence	Primary OCR / layout extraction	US
OpenAI (GPT-4o)	Structured enrichment from Azure output	US
Cloudflare R2	Object storage for original uploaded files	US
Railway Postgres	Primary application database	US
Vercel	Frontend hosting and edge delivery	US
Valkey / Redis	In-memory cache and job queue (no invoice content)	US
Stripe	Payment processing	US
Resend	Transactional email delivery	US
Mailgun	Additional transactional email delivery	US
Sentry	Error tracking and performance monitoring	US
PostHog	Product analytics and session replay	US

Authentication providers

Optional third-party sign-in. These providers authenticate your identity only — they never receive invoice content, extracted data, or account data beyond the email address they return to us.

Provider	Role
Google	Optional "Sign in with Google" — authenticates identity and returns a verified email. Receives no invoice or account data.
Microsoft	Optional "Sign in with Microsoft" — authenticates identity and returns a verified email. Receives no invoice or account data.

Data Transfer

All infrastructure is US-hosted

Our primary database (Railway Postgres), object storage (Cloudflare R2), and extraction pipeline (Azure Document Intelligence and OpenAI) all operate in the United States. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or any other region outside the United States, your data will be transferred to, stored, and processed in the US in the ordinary course of providing the Service.

If you require a Data Processing Addendum to satisfy your own GDPR or contractual obligations, contact us at security@invoiceparserpro.com.

Transparency & Roadmap

Where we are. Where we're going.

The controls described above are live in production today. The items below are on the roadmap but not yet in place. We will update this page when their status changes.

SOC 2 Type IIPlanned

GDPR Data Processing AddendumPlanned

File-level encryption at restPlanned

SSO / SAMLPlanned

Questions about security?

We answer technical security questions directly. Email security@invoiceparserpro.com.

Contact Security Team Back to Product

We aim to acknowledge security inquiries within one business day.

Last updated: April 2026