All communication between your device, your servers, and Invoiced is encrypted over HTTPS. More specifically, our HTTPS configuration exclusively uses Transport Layer Security (TLS) v1.1 and up with forward secrecy.
We send HSTS headers to instruct web browsers that invoiced.com and all of our subdomains are only accessible over HTTPS. Also most major browsers have invoiced.com preloaded as an HTTPS-only site.
We only store user passwords that are first hashed using bcrypt. Your password is never stored in our database in an unencrypted, or decryptable, format. You are responsible for choosing a strong password and keeping it secret.
When we need to store secrets or API keys on your behalf then they will be stored in an encrypted form. The encrypted credentials are only accessible by internal services that need those credentials to function.
We support two-factor authentication to protect your Invoiced account in case your password is ever compromised. Two-factor authentication adds an extra layer of security to your Invoiced account by requiring you to enter a verification code from your mobile device each time you login. It's strongly recommended that you enable this feature.
Invoiced allows you to securely give employees and team members access to your business account. Any team member that you invite will be able to access your business account using their own user account, and login. No sharing of passwords is necessary (please don't do this!). You are able to instantly revoke an individual's access at any time.
Invoiced also ships with a robust roles and permissions system that lets you control user access to your business. A user's role will specify the actions they can perform and what data they can see. You can further restrict a user's access to a list of allowed customer accounts.
We will only access your account to respond to support requests, and seek your consent before proceeding. The exception is if there is suspected abuse or an urgent security reason.
When working on a support issue we do our best to use the minimal amount of data needed to resolve your issue.
Invoiced does not process or store any credit card or bank account details belonging to your customers or yourself. When a customer pays you (or when you pay us) then your payment is processed by a third party, PCI compliant payment processor.
If you have any questions or concerns then please email us at firstname.lastname@example.org.
Use our PGP key to securely communicate with us, and verify signed messages you receive from us.
ED65 E451 1302 F899 4377 0D9F 6064 BF3F 06C5 47D9
We would like to acknowledge the following people who have reported security issues to us.