Security & data protection
Last updated: June 2026
Compliance teams need to know exactly what happens to an invoice when it hits our API. Here is a plain, accurate account — including what we have not done yet. We would rather under-claim than oversell.
Invoices are processed in memory, never stored
When you call the validation or generation endpoint, the invoice XML is parsed and checked in memory to produce a report, then discarded. We do not persist invoice documents or their line-item contents. We retain only non-sensitive metadata — document format, validity, rule counts and timing — for usage metering, analytics and abuse prevention.
Encryption in transit
All API and dashboard traffic is served over HTTPS (TLS). API keys are transmitted as bearer tokens and must only be used server-side.
API key handling
API keys are stored only as a bcrypt hash of the secret plus a non-secret lookup token — we cannot recover your full key after it is shown to you once. If a key is exposed, you can revoke and rotate it from the dashboard immediately.
Data residency & subprocessors
The service runs on Vercel (application/serverless functions) and Supabase (PostgreSQL and authentication). Account data and validation metadata are held in our Supabase project. We do not sell personal data and do not share it beyond the subprocessors needed to run the service. If you require a specific EU data region or a Data Processing Agreement, contact us.
GDPR
InvoiceHub is built to support GDPR obligations: data minimisation (we keep metadata, not invoices), the right to access and deletion of account data, and a documented privacy policy. Submit data-subject requests through our contact form.
Standards we validate against
Validation uses the official CEN EN 16931 Schematron (validation artifacts v1.3.16) — the same published business-rule set used by tax authorities and Peppol access points — so results carry the exact BR-* identifiers. We never report an unchecked document as valid.
What we have not done yet (honestly)
We do not currently hold SOC 2 or ISO 27001 certification, and InvoiceHub is not itself a Peppol Access Point. These are on our roadmap as the product matures. We would rather tell you that than imply a certification we do not have. If a procurement process requires specific attestations, get in touch and we will share our current posture and timeline.
Reporting a vulnerability
Found a security issue? Please report it through our contact form with the details and steps to reproduce. We will acknowledge responsible disclosures and work with you on a fix.