Flow Invoicer
Legal · Effective 17 May 2026

Trust

Flow Invoicer holds invoice, payment, and bank data for thousands of South African businesses. Here is exactly where it lives and how it's protected.

Data residency

All customer data is stored in our primary Supabase Postgres database, hosted in the AWS af-south-1 (Cape Town) region. Backups remain in the same region. No data is transferred outside South Africa for storage.

Encryption

  • In transit: TLS 1.3 on every request to flowinvoicer.app.
  • At rest: AES-256 on Supabase managed storage.
  • Sensitive secrets (API keys, payment provider keys) stored in Vercel encrypted environment variables.

Access controls

  • Postgres Row-Level Security on every table — your workspace data is technically isolated from other workspaces.
  • Multi-user roles (Owner / Bookkeeper / Viewer) gate access within a workspace.
  • Two-factor authentication available for every account.

Backups

Supabase performs continuous point-in-time backups of the production database for the last 14 days on our infrastructure plan. Daily snapshots are retained for 30 days. Backups remain in the AWS af-south-1 region.

Compliance

  • POPIA (South Africa) — full operator obligations met. See our Privacy Policy.
  • GDPR (EU residents) — data subject rights honoured.
  • SOC 2 readiness audit scheduled for Q4 2026.

Incident response

Errors are streamed to Sentry; downtime is tracked via healthchecks.io. In the unlikely event of a data breach, we will notify affected workspace owners within 72 hours by email and post a public incident report at /status.

Get in touch

For security disclosures, compliance questions, or a signed Data Processing Agreement, email security@ddmtech.co.za.