Security

We take our responsibility to keep your data secure with the utmost care.

Standards Compliance

PCI

Invoiced is a PCI Level 1 Service Provider. We maintain compliance with the PCI-DSS standard for securely handling payment information. Our AOC (Attestation of Compliance) is available upon request.

SOC 2

Invoiced is certified by the American Institute of Certified Public Accountants (AICPA), for SOC 2 Type 2 relevant to Security. Our SOC 2 Report is available upon request.

HIPAA

We can enter a BAA (Business Associate Agreement) upon request.


Security Capabilities

Below we have documented key security features available with Invoiced. The list is not comprehensive.

HTTPS

All communication between your device, your servers, and Invoiced is encrypted over HTTPS. More specifically, our HTTPS configuration exclusively uses Transport Layer Security (TLS) v1.2 and up with forward secrecy.

We send HSTS headers to instruct web browsers that invoiced.com and all of our subdomains are only accessible over HTTPS. Also most major browsers have invoiced.com preloaded as an HTTPS-only site.

Passwords / secrets

We only store user passwords that are first hashed using PBKDF2. Your password is never stored in our database in an unencrypted, or decryptable, format. You are responsible for choosing a strong password and keeping it secret.

When we need to store secrets or API keys on your behalf then they will be stored in an encrypted form using AES 256. The encrypted credentials are only accessible by internal services that need those credentials to function.

Two-factor authentication

We support two-factor authentication to protect your Invoiced account in case your password is ever compromised. Two-factor authentication adds an extra layer of security to your Invoiced account by requiring you to enter a verification code from your mobile device each time you login. It’s strongly recommended that you enable this feature.

User permissions

Invoiced allows you to securely give employees and team members access to your business account. Any team member that you invite will be able to access your business account using their own user account, and login. No sharing of passwords is necessary (please don’t do this!). You are able to instantly revoke an individual’s access at any time.

Invoiced also ships with a robust roles and permissions system that lets you control user access to your business. A user’s role will specify the actions they can perform and what data they can see. You can further restrict a user’s access to a list of allowed customer accounts.

Audit log

Invoiced keeps a log of billing events performed by users within your company, customers in the payment portal, and automated Invoiced processes. We keep a separate log of account security activity, such as login and password reset events. The audit log is available to you within the Invoiced application.

Employee access

We will only access your account to respond to support requests, and seek your consent before proceeding. The exception is if there is suspected abuse or an urgent security reason.

When working on a support issue we do our best to access the least amount of data needed to resolve your issue.


Security inquiries

If you have any questions or concerns then please email us at security@invoiced.com.

PGP Key

Use our PGP key to securely communicate with us, and verify signed messages you receive from us.

Key ID

06C547D9

Key type

RSA

Key size

4096

Fingerprint

ED65 E451 1302 F899 4377 0D9F 6064 BF3F 06C5 47D9

User ID

security@invoiced.com

Credits

We would like to acknowledge the following people who have reported security issues to us.

  • Jonathan Rudenberg (2016-09-03)
    A cross-site scripting issue in the customer portal was fixed. Thank you Jonathan for reporting this issue.
  • Jonathan Rudenberg (2016-09-06)
    Three cross-site scripting issues in the dashboard were fixed. Thank you Jonathan for reporting these issues.
  • Muhammad Hammad (2018-10-19)
    A Session Management Vulnerability was fixed. Thank you Muhammad for reporting this issue.