Legal · Effective 17 May 2026
Security
A short technical summary of how Flow Invoicer secures customer data. For a broader overview see Trust.
Authentication
- Email + password via Supabase Auth (bcrypt-hashed).
- Sign-up passwords checked against Have-I-Been-Pwned via k-anonymity.
- Optional TOTP two-factor authentication (1Password, Authy, Google Authenticator).
- Sessions are HTTP-only cookies, refreshed every hour.
Authorization
- Postgres Row-Level Security on every table — even a compromised application server cannot return another workspace's rows.
- Multi-user roles (Owner / Bookkeeper / Viewer) enforced both in UI and at the API layer.
- AI agent API keys are workspace-scoped and revocable.
Transport + storage encryption
- TLS 1.3 on every request; HSTS preload enabled.
- Database, file storage, and backups encrypted at rest with AES-256.
- Secrets stored in Vercel encrypted environment variables — never in source.
Application security
- Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options headers on every response.
- Customer-portal pages tightened with
frame-ancestors 'none'to prevent clickjacking. - Server-side input validation via Zod schemas on every mutation endpoint.
Operational security
- Errors monitored via Sentry; uptime via healthchecks.io.
- Database backups verified by quarterly restore drill.
- Dependencies scanned weekly via GitHub Dependabot.
Reporting a vulnerability
Found something? Email security@ddmtech.co.za. We do not currently run a bug-bounty programme but acknowledge and respond to all reports within 48 hours.