Security

Quick answer

Your data is encrypted in transit (HTTPS everywhere) and at rest, passwords are hashed with bcrypt (never stored in plain text), every login attempt is logged, and every account's data is strictly isolated from every other account's — verified, not assumed.

Encryption

All traffic between your browser and InvoiceFlow Canada is encrypted over HTTPS, enforced with HTTP Strict Transport Security (HSTS) so your browser never falls back to an unencrypted connection. Your database and file storage are hosted in Canada and encrypted at rest by the underlying infrastructure providers.

Passwords

Passwords are hashed with bcrypt before being stored — InvoiceFlow Canada never stores or can retrieve your actual password. If you sign in with Google, no password is stored at all.

Account protection

  • Login attempts are rate-limited to slow down automated guessing.
  • Registration, password reset, and the contact form are protected by Cloudflare Turnstile to block automated bot submissions.
  • Every login attempt — successful or not — is logged with its outcome, so unusual activity can be investigated.
  • Session cookies are HTTP-only and secure, inaccessible to page scripts.

Data isolation

Every invoice, customer record, and business profile is scoped to your account at the database level — every single query that reads or writes your data requires your authenticated account ID to match. This has been directly audited across the entire application, not just assumed to be true.

Monitoring

Application errors are monitored so problems are caught and fixed quickly, and security-relevant headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) are set on every response to reduce the attack surface for common web vulnerabilities like clickjacking and content-type sniffing.

Report a security issue

If you believe you've found a security vulnerability, please contact us directly rather than filing a public report — we take these seriously and will respond promptly.