Skip to content
ESOF Shield CertifiedGDPR CompliantSOC 2 Compliance in Progress

Security & compliance

Audited, encrypted, and visible only to you.

Independently audited, hosted in the EU, and encrypted end to end. Your invoices and bank data stay private, even from us.

Defense in depth

Security built into every layer.

Your data never leaves the EU

All your invoices, bank transactions, and documents are stored in Frankfurt, Germany. Nothing is routed through or stored in the US or anywhere outside the European Union. This applies to everything: your files, your database records, your backups.

We cannot see your documents

Invoflux employees have zero access to your invoices, bank data, or financial documents. Your data is isolated at the database level, meaning even if our own application had a bug, one company's data could never leak into another's. This isn't a policy. It's how the system is built.

Full GDPR compliance

We act as a data processor under GDPR. You can export all your data or permanently delete your account at any time, directly from your settings. We process data only under your instructions and never share it with anyone.

Everything is encrypted

Your documents are encrypted when they travel to and from our servers (TLS 1.3) and encrypted again when stored (AES-256-GCM, the same standard banks use). Your connected account credentials are encrypted separately with their own keys and never stored as plain text.

We only ask for what we need

When you connect Gmail or your bank, we request the absolute minimum permissions required. Gmail access is read-only and limited to scanning for invoice emails. Bank access is read-only transaction data. We never send emails on your behalf, never modify anything, and never access more than what's needed.

Every action is logged

Every login, file access, data export, and integration event is recorded with timestamps and details. Each company has its own separate audit trail. Sensitive information like email addresses and IBANs is automatically removed from logs so it can't be exposed.

Each company is completely isolated

If you manage multiple companies or if your accountant works with several clients, every workspace is separated at the database level using Row-Level Security. There's no way to accidentally (or intentionally) access another company's data, even from inside the application.

Verified by Google

Invoflux has passed Google's CASA Tier 2 security assessment, the highest certification Google offers for apps that access Gmail and Drive. This included a third-party security audit and confirms that we only request minimal permissions. The certification is reassessed annually.

Protected against attacks

Login and authentication endpoints are protected with rate limiting to prevent brute-force attempts. Sensitive data like session tokens is stored server-side in secure cookies and never exposed to your browser. We run regular security scans to catch vulnerabilities before they become problems.

Questions

Frequently asked questions

What third-party services touch my data?

We use Supabase (EU-hosted database and file storage), Salt Edge (read-only bank connections, EU-based), and OpenAI (for invoice data extraction only, with no data retention on their side). All services are contractually bound to EU data handling standards.

What happens to my data if I cancel?

You can export everything first, then delete your account. Deletion is permanent and removes all your documents, transaction records, and personal information from our systems.

Do you sell or share my data?

No. Never. Your financial data is yours. We don't monetize it, share it with advertisers, or use it for anything other than running the service you signed up for.

Data handling

How We Handle Your Data

  • Stored in the EU, optionally mirrored to your cloud: your invoices live in encrypted EU storage. You can also mirror them to your own Google Drive, OneDrive, Dropbox, or Box, where Invoflux only ever touches the folders it creates.
  • Structured data, fully searchable: supplier, invoice number, date, totals, and matching status are extracted so everything is searchable and reconciled.
  • No AI training: user data is never used to train public models.
  • Transparent sub-processors: all EU-compliant.
  • Full retention control: delete data anytime.

Open banking

Open Banking & PSD2 Compliance

How Bank Connections Work

  • You authenticate directly with your bank.
  • Credentials are never shared with Invoflux.
  • Access is strictly read-only and PSD2 compliant.
  • Only required transaction data is retrieved.

Regulated Access to Banking Data

PSD2 Licence Coverage

Bank access is provided through a fully regulated PSD2-compliant provider.

eIDAS & Strong Customer Authentication

All connections use qualified certificates and follow PSD2 SCA rules.

Read-Only Financial Data

No payments can be initiated; credentials are never stored or seen.

Why This Matters

  • No credential exposure
  • Fully regulated EU-standard access
  • Read-only, secure, and compliant
  • User retains full control

Your rights

GDPR Compliance

Your Rights

  • Access your data
  • Data portability
  • Erasure
  • Restriction or objection
  • No automated decision-making without consent

Data Processing Agreement

Available on request at [email protected].

Hardening

Security Headers

Invoflux implements comprehensive security headers to protect against common web vulnerabilities:

  • Strict-Transport-Security: Forces HTTPS connections
  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME-type sniffing
  • Content-Security-Policy: Mitigates XSS attacks
  • Permissions-Policy: Controls browser feature access
  • Referrer-Policy: Controls what information is shared when navigating between pages

Security you can verify.

Start free and see how Invoflux protects your data from day one.

Start Free

Get in touch

Contact

For security or compliance questions: