Standards Compliance
PCI
Invoiced is a PCI Level 1 Service Provider. We maintain compliance with the PCI-DSS standard for securely handling payment information. Our AOC (Attestation of Compliance) is available upon request.
SOC 2
Invoiced is certified by the American Institute of Certified Public Accountants (AICPA), for SOC 2 Type 2 relevant to Security. Our SOC 2 Report is available upon request.
HIPAA
We can enter a BAA (Business Associate Agreement) upon request.
Security Capabilities
Below we have documented key security features available with Invoiced. The list is not comprehensive.
HTTPS
All communication between your device, your servers, and Invoiced is encrypted over HTTPS. More specifically, our HTTPS configuration exclusively uses Transport Layer Security (TLS) v1.2 and up with forward secrecy.
We send HSTS headers to instruct web browsers that invoiced.com and all of our subdomains are only accessible over HTTPS. Also most major browsers have invoiced.com preloaded as an HTTPS-only site.
Passwords / secrets
We only store user passwords that are first hashed using PBKDF2. Your password is never stored in our database in an unencrypted, or decryptable, format. You are responsible for choosing a strong password and keeping it secret.
When we need to store secrets or API keys on your behalf then they will be stored in an encrypted form using AES 256. The encrypted credentials are only accessible by internal services that need those credentials to function.
Two-factor authentication
We support two-factor authentication to protect your Invoiced account in case your password is ever compromised. Two-factor authentication adds an extra layer of security to your Invoiced account by requiring you to enter a verification code from your mobile device each time you login. It’s strongly recommended that you enable this feature.
User permissions
Invoiced allows you to securely give employees and team members access to your business account. Any team member that you invite will be able to access your business account using their own user account, and login. No sharing of passwords is necessary (please don’t do this!). You are able to instantly revoke an individual’s access at any time.
Invoiced also ships with a robust roles and permissions system that lets you control user access to your business. A user’s role will specify the actions they can perform and what data they can see. You can further restrict a user’s access to a list of allowed customer accounts.
Audit log
Invoiced keeps a log of billing events performed by users within your company, customers in the payment portal, and automated Invoiced processes. We keep a separate log of account security activity, such as login and password reset events. The audit log is available to you within the Invoiced application.
Employee access
We will only access your account to respond to support requests, and seek your consent before proceeding. The exception is if there is suspected abuse or an urgent security reason.
When working on a support issue we do our best to access the least amount of data needed to resolve your issue.
Security inquiries
If you have any questions or concerns then please email us at security@invoiced.com.
PGP Key
Use our PGP key to securely communicate with us, and verify signed messages you receive from us.
Key ID
06C547D9Key type
RSA
Key size
4096
Fingerprint
ED65 E451 1302 F899 4377 0D9F 6064 BF3F 06C5 47D9User ID
security@invoiced.com
Credits
We would like to acknowledge the following people who have reported security issues to us.
- Jonathan Rudenberg (2016-09-03)
A cross-site scripting issue in the customer portal was fixed. Thank you Jonathan for reporting this issue. - Jonathan Rudenberg (2016-09-06)
Three cross-site scripting issues in the dashboard were fixed. Thank you Jonathan for reporting these issues. - Muhammad Hammad (2018-10-19)
A Session Management Vulnerability was fixed. Thank you Muhammad for reporting this issue.
