Security at InvoiceFly

Last updated: July 7, 2025

At InvoiceFly, keeping our customers’ data secure is our top priority.

This page provides an overview of the security measures we implement to ensure the confidentiality, integrity, and availability of the data entrusted to us.

Security Police ->

1. Security Framework & Certifications

InvoiceFly has implemented an Information Security Management System aligned with industry best practices to ensure business continuity, minimize the risk of data breaches, and maintain compliance with applicable standards.

All customer data is securely stored on Amazon Web Services (AWS) servers located in Dallas, Texas, USA (Hostinger). These data centers offer industry-leading security and are trusted by global companies such as Netflix and Airbnb.

AWS facilities are protected by multiple layers of physical security, including biometric access controls and 24/7 monitoring.

2. Data Protection & GDPR Compliance

InvoiceFly fully complies with the General Data Protection Regulation (GDPR) and other relevant privacy regulations applicable to our customers’ data.

Data Processing Roles

InvoiceFly acts as:

  • Data Controller: When we process data provided directly by our clients (e.g., user accounts, billing).
  • Data Processor: When we process data on behalf of our customers, such as information their end users provide through our platform.

If you are an employee or contractor using the InvoiceFly platform, we act solely as a Data Processor of your personal data, as directed by your employer or account owner.

For website visitors, InvoiceFly may also act as a Processor when collecting cookie-related or analytics data.

Data Processing Agreement (DPA)

We offer a DPA for customers who need it. You may request a copy by emailing our Privacy Team at: mike@invoicefly.com

3. Data Security & Encryption

Data in Transit

All data exchanged between users and our servers is encrypted using TLS 1.2 or higher, in accordance with industry best practices.

Data at Rest

All stored data is encrypted using AES-256 via AWS Key Management Services (KMS), covering databases, backups, and object storage (e.g., S3 buckets).

4. Application & Infrastructure Security

Cloud Infrastructure

InvoiceFly runs entirely on cloud-based infrastructure. We do not manage our own physical servers or data centers. Our systems use:

  • Virtual Private Cloud (VPC)
  • Firewalls and security groups
  • Encrypted backups and high-availability configurations

Monitoring & Threat Detection

  • We monitor logs and anomalies in real time.
  • Penetration tests are regularly conducted by third-party security firms.
  • Vulnerability scanning is continuous.

5. Secure Development Practices

  • All code undergoes security review based on OWASP Top 10 standards.
  • Dependencies are scanned and updated regularly to avoid known vulnerabilities.
  • Static Application Security Testing (SAST) is part of our CI/CD pipeline.
  • Developers do not have direct access to production environments.
  • Secrets are managed securely, and no sensitive keys are stored in the codebase.

6. Access Control & User Protection

  • Single Sign-On (SSO) available via Google, Microsoft, Apple and LinkedIn.
  • Multi-Factor Authentication (MFA) enforced through AWS Cognito.
  • Role-based access control (RBAC) allows fine-grained permission management.
  • Quarterly access reviews are conducted to ensure proper deprovisioning and least privilege.

7. Payment Security

InvoiceFly does not process or store payment data directly. All payment transactions are securely handled by Stripe, a PCI DSS Level 1 compliant provider.

8. Internal Security Policies

  • All employees use centrally managed, 2FA-protected accounts.
  • Passwords are rotated regularly, and only least-privileged access is granted.
  • Background checks are conducted for all new hires.
  • Security awareness training is mandatory for all staff.
  • Office access is restricted and controlled via badge entry systems.

9. Data Breach Policy

In the event of a data breach, InvoiceFly will:

  1. Immediately assess the scope and nature of the incident.
  2. Contain and mitigate the threat.
  3. Record the incident in our internal log for traceability.
  4. Determine whether notification to data protection authorities or users is required.

If a breach poses a risk to the rights and freedoms of individuals, InvoiceFly will notify affected clients within 48 hours, including:

  • Mitigation measures taken
  • Technical improvements made
  • Updated procedures to prevent recurrence

10. Data Retention & Deletion

By default, InvoiceFly deletes all personal data 30 days after contract termination unless otherwise required by law or requested by the customer.

All backup data is also removed within one year unless retained under legal obligation.

11. Service Level Commitment (SLA)

InvoiceFly guarantees 99.9% monthly uptime. That equates to no more than 43.5 minutes of downtime per month.

If this commitment is not met, clients may request Service Credits equal to 5% of the monthly invoice. To do so, email: mike@invoicefly.com with the date and details of the outage.

Note: SLA does not apply in cases of force majeure, third-party failures, or scheduled maintenance.

12. Business Continuity & Disaster Recovery

  • Daily backups are retained for 30 days.
  • High availability is maintained using AWS Multi-AZ configurations.
  • Our Recovery Time Objective (RTO) is 1 hour, and Recovery Point Objective (RPO) is 24 hours.
  • Business continuity and disaster recovery plans are documented and tested regularly.

13. Confidentiality

InvoiceFly and its clients agree to treat all exchanged information as confidential, including but not limited to:

  • Customer data and credentials
  • Technical and financial details
  • Source code, infrastructure, and trade secrets

This duty of confidentiality survives the termination of the contractual relationship.

Any breach of confidentiality may result in legal action and compensation for damages.

14. Questions or Security Concerns?

If you believe you’ve discovered a vulnerability or want to report a security issue, please contact us at:

📧 mike@invoicefly.com
 📍 Plaça de Pau Vila, 1, Ciutat Vella, 08039 Barcelona, Spain
📞 (628) 230-4030