Security & compliance
Audited, encrypted, and visible only to you.
Independently audited, hosted in the EU, and encrypted end to end. Your invoices and bank data stay private, even from us.
Defense in depth
Security built into every layer.
Your data never leaves the EU
All your invoices, bank transactions, and documents are stored in Frankfurt, Germany. Nothing is routed through or stored in the US or anywhere outside the European Union. This applies to everything: your files, your database records, your backups.
We cannot see your documents
Invoflux employees have zero access to your invoices, bank data, or financial documents. Your data is isolated at the database level, meaning even if our own application had a bug, one company's data could never leak into another's. This isn't a policy. It's how the system is built.
Full GDPR compliance
We act as a data processor under GDPR. You can export all your data or permanently delete your account at any time, directly from your settings. We process data only under your instructions and never share it with anyone.
Everything is encrypted
Your documents are encrypted when they travel to and from our servers (TLS 1.3) and encrypted again when stored (AES-256-GCM, the same standard banks use). Your connected account credentials are encrypted separately with their own keys and never stored as plain text.
We only ask for what we need
When you connect Gmail or your bank, we request the absolute minimum permissions required. Gmail access is read-only and limited to scanning for invoice emails. Bank access is read-only transaction data. We never send emails on your behalf, never modify anything, and never access more than what's needed.
Every action is logged
Every login, file access, data export, and integration event is recorded with timestamps and details. Each company has its own separate audit trail. Sensitive information like email addresses and IBANs is automatically removed from logs so it can't be exposed.
Each company is completely isolated
If you manage multiple companies or if your accountant works with several clients, every workspace is separated at the database level using Row-Level Security. There's no way to accidentally (or intentionally) access another company's data, even from inside the application.
Verified by Google
Invoflux has passed Google's CASA Tier 2 security assessment, the highest certification Google offers for apps that access Gmail and Drive. This included a third-party security audit and confirms that we only request minimal permissions. The certification is reassessed annually.
Protected against attacks
Login and authentication endpoints are protected with rate limiting to prevent brute-force attempts. Sensitive data like session tokens is stored server-side in secure cookies and never exposed to your browser. We run regular security scans to catch vulnerabilities before they become problems.
Questions
Frequently asked questions
What third-party services touch my data?
We use Supabase (EU-hosted database and file storage), Salt Edge (read-only bank connections, EU-based), and OpenAI (for invoice data extraction only, with no data retention on their side). All services are contractually bound to EU data handling standards.
What happens to my data if I cancel?
You can export everything first, then delete your account. Deletion is permanent and removes all your documents, transaction records, and personal information from our systems.
Do you sell or share my data?
No. Never. Your financial data is yours. We don't monetize it, share it with advertisers, or use it for anything other than running the service you signed up for.
Data handling
How We Handle Your Data
- Stored in the EU, optionally mirrored to your cloud: your invoices live in encrypted EU storage. You can also mirror them to your own Google Drive, OneDrive, Dropbox, or Box, where Invoflux only ever touches the folders it creates.
- Structured data, fully searchable: supplier, invoice number, date, totals, and matching status are extracted so everything is searchable and reconciled.
- No AI training: user data is never used to train public models.
- Transparent sub-processors: all EU-compliant.
- Full retention control: delete data anytime.
Open banking
Open Banking & PSD2 Compliance
How Bank Connections Work
- You authenticate directly with your bank.
- Credentials are never shared with Invoflux.
- Access is strictly read-only and PSD2 compliant.
- Only required transaction data is retrieved.
Regulated Access to Banking Data
PSD2 Licence Coverage
Bank access is provided through a fully regulated PSD2-compliant provider.
eIDAS & Strong Customer Authentication
All connections use qualified certificates and follow PSD2 SCA rules.
Read-Only Financial Data
No payments can be initiated; credentials are never stored or seen.
Why This Matters
- No credential exposure
- Fully regulated EU-standard access
- Read-only, secure, and compliant
- User retains full control
Your rights
GDPR Compliance
Your Rights
- Access your data
- Data portability
- Erasure
- Restriction or objection
- No automated decision-making without consent
Data Processing Agreement
Available on request at [email protected].
Hardening
Security Headers
Invoflux implements comprehensive security headers to protect against common web vulnerabilities:
- Strict-Transport-Security: Forces HTTPS connections
- X-Frame-Options: Prevents clickjacking attacks
- X-Content-Type-Options: Prevents MIME-type sniffing
- Content-Security-Policy: Mitigates XSS attacks
- Permissions-Policy: Controls browser feature access
- Referrer-Policy: Controls what information is shared when navigating between pages