Get started today: Begin your free 7-day trial. Cancel anytime

Security

Your receivables data, protected by default.

Invoices hold sensitive financial and contact details. Here's exactly how PayFlowAI protects them today, written plainly, with no security theatre.

A note on where we are. PayFlowAI is an early-stage product. We've built our security foundations in from day one, the controls below are live in the product now. We're transparent about what we haven't formalized yet, too: see what's on our roadmap further down.

What's in place today

Controls live in the product

Encryption at rest

Sensitive fields are encrypted with AES-256-GCM authenticated encryption, a unique initialization vector per value and an integrity tag, so stored data can't be read or tampered with.

Encryption in transit

Every connection to PayFlowAI is served over HTTPS/TLS. Data moving between your browser, our app, and our processors is encrypted end to end.

Authenticated access

Every app route is gated by a server-verified session. Unauthenticated requests to your dashboard, invoices, and clients are rejected and redirected, your data is scoped to your account only.

Payments via Stripe

Billing runs entirely on Stripe, a PCI-DSS Level 1 provider. Card details are entered on Stripe's secure checkout, PayFlowAI never sees or stores your card number.

Responsible AI

AI features are powered by Anthropic's Claude over its enterprise API. Your data is sent only to generate the result you asked for, it is not used to train models.

EU data residency & GDPR

Your data is hosted in European data centers and handled in line with the GDPR. We never sell or rent your data, and you can export or delete it at any time.

Account protection

Sign-ups require email verification, and sign-in supports trusted single sign-on via Google, Microsoft, and LinkedIn. Sign-up forms include anti-abuse safeguards to block automated attacks.

Managed infrastructure

We build on managed, continuously-patched platforms (Supabase and Vercel) rather than self-managed servers, reducing the surface area for misconfiguration and unpatched vulnerabilities.

Your data, portable

Export your invoices and clients to CSV or PDF whenever you need them. Cancel and your data goes with you, no lock-in, no hostage-taking.

Sub-processors

Who we trust with your data

We work with a small set of established providers, each chosen for their security posture.

Supabase
Database, authentication, and file storage
Stripe
Subscription billing and payment processing
Anthropic (Claude)
AI command bar, reminders, and insights
Vercel
Application hosting and delivery

This list reflects our current setup and may change as we grow. We'll keep it up to date here.

On our roadmap

What we're working toward

We'd rather be honest about what isn't formalized yet than imply certifications we don't hold.

Formal SOC 2 examination
We follow the practices, and intend to pursue a formal Type II report as we scale.
Third-party penetration testing
Independent security testing on a recurring schedule.
Two-factor authentication & SSO for teams
Optional 2FA and SAML SSO for Growth-plan organizations.

Found a security issue?

We take reports seriously and will respond quickly. Email us with the details and we'll work with you to resolve it.

security(at)payflowai.io