Legal · Security

Security posture

Invoices are evidence. We treat them like evidence — encrypted at rest, signed in transit, and logged on every hop. Here is how.

Effective April 1, 2026 · v1.4.2

1. The pillars

crypto

AES-256 at rest

All persisted data — payloads, attachments, receipts — is encrypted at rest using AWS KMS-managed keys with annual rotation.

crypto

TLS 1.3 in transit

Every endpoint negotiates TLS 1.3 by default and rejects anything below 1.2. SMTP ingress requires STARTTLS for inbound mail.

integrity

Signed receipts

Every forwarded payload carries an Ed25519 signature over the canonicalized JSON. Public keys rotate quarterly; the prior key stays valid for 90 days.

access

Least-privilege IAM

Engineering access to production is gated by SSO + hardware key + just-in-time approval. No long-lived credentials. All sessions are logged.

audit

Audit logs

Every API call, login, and admin action lands in an append-only audit log retained for 12 months. Customers on the Operation tier can export it.

resilience

Cross-region backups

Encrypted snapshots replicate from ca-central-1 to us-east-1 hourly. Restore drills run quarterly. Last restore: 2026-03-18 (RTO 22 min).

2. Compliance

Framework Status Last review
SOC 2 Type II Audit in progress (Q3 2026 expected) 2026-02-14
ISO/IEC 27001 Roadmap — not yet certified
GDPR + PIPEDA Aligned; DPA available on request 2026-01-20
HIPAA Not in scope; do not send PHI

We are honest about where we are. SOC 2 Type II is mid-audit, not stamped. If a procurement team needs the Type I letter or our gap analysis, we send them on request under NDA.

3. How we build

  • Two-engineer code review on every change touching production.
  • SAST and dependency scanning on every PR. Critical CVEs block merge.
  • Quarterly third-party penetration test. Latest report: 2026-02, zero criticals, two mediums (both fixed).
  • No production data in staging or development environments.
  • Secrets live in AWS Secrets Manager. Nothing in .env committed.

4. Incident response

On detection, we contain, assess, and notify. Customers affected by a confirmed breach are notified within 72 hours. Status updates land on the status page in near-real-time.

Postmortems are public for any incident with customer-visible impact, and they name the root cause without sanitizing.

5. Bug bounty

Found something? Email [email protected] with a description and steps to reproduce. Our PGP key fingerprint is 4B7E 9F2A 8C31 D5E0 A917 6B42 1F8D 0C5E A293 7B14.

Reward range, paid in USD on confirmation:

Severity Reward
Critical (RCE, auth bypass, mass data exposure)$5,000 – $10,000
High (privilege escalation, sensitive data exposure)$1,500 – $5,000
Medium (CSRF, stored XSS, IDOR)$300 – $1,500
Low (rate-limit gaps, info disclosure)$50 – $300

Out of scope: social engineering, physical attacks, anything against third-party services.

6. Customer responsibilities

  • Use SSO when available. Enforce 2FA on every operator account.
  • Rotate API keys at least annually.
  • Don't paste signed receipts into public Slack channels — they reveal vendor data.

7. Contact

Security disclosures: [email protected]. Compliance documentation requests (SOC 2 letter, pen-test summary, DPA): [email protected].