Security

A short technical summary of how Flow Invoicer secures customer data. For a broader overview see Trust.

Authentication

• Email + password via Supabase Auth (bcrypt-hashed).
• Sign-up passwords checked against Have-I-Been-Pwned via k-anonymity.
• Optional TOTP two-factor authentication (1Password, Authy, Google Authenticator).
• Sessions are HTTP-only cookies, refreshed every hour.

Authorization

• Postgres Row-Level Security on every table — even a compromised application server cannot return another workspace's rows.
• Multi-user roles (Owner / Bookkeeper / Viewer) enforced both in UI and at the API layer.
• AI agent API keys are workspace-scoped and revocable.

Transport + storage encryption

• TLS 1.3 on every request; HSTS preload enabled.
• Database, file storage, and backups encrypted at rest with AES-256.
• Secrets stored in Vercel encrypted environment variables — never in source.

Application security

• Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options headers on every response.
• Customer-portal pages tightened with frame-ancestors 'none' to prevent clickjacking.
• Server-side input validation via Zod schemas on every mutation endpoint.

Operational security

• Errors monitored via Sentry; uptime via healthchecks.io.
• Database backups verified by quarterly restore drill.
• Dependencies scanned weekly via GitHub Dependabot.

Reporting a vulnerability

Found something? Email security@ddmtech.co.za. We do not currently run a bug-bounty programme but acknowledge and respond to all reports within 48 hours.