Your financial data, protected at every layer

All data stored on our platform is encrypted at rest using industry-standard AES-256 encryption. Whether it is a raw invoice file, extracted line items, or a generated report, every byte on disk is encrypted.

All data in transit is protected by TLS 1.2 or higher, including TLS 1.3 where supported. There is no unencrypted path into or out of the platform.

Encryption keys are managed by our cloud infrastructure provider with automatic rotation on a defined schedule. Your files are stored with immutability controls and server-side encryption. Access to production data requires multiple layers of authentication and is restricted to essential operations only.

Yes, completely. Every organization's data lives behind row-level security policies enforced at the database layer, not just in application code. These policies are evaluated for every single query, making it structurally impossible for one customer's request to return another customer's data.

Documents, extracted fields, corrections, reports, and audit logs are all scoped to your organization. No customer can ever access another customer's documents, extracted data, or reports, even if they know the right identifiers.

Multi-tenancy is not a configuration toggle. It is how the data model was designed from the start. Isolation is the default, not an option.

No. Once a document passes validation and is promoted to permanent storage, it is protected by immutability controls enforced at the infrastructure level. Your documents cannot be modified or deleted during the retention period, which defaults to 7 years to meet IRS, HIPAA, and state regulatory requirements.

Every uploaded file is assigned a cryptographic hash (SHA-256) computed in your browser before the file leaves your device. That hash is recorded in our database and verified when the file is accessed. If a file were altered in transit or storage, the hash mismatch would be detected and flagged.

Every version of a document, from initial validation through permanent storage, is preserved with a full chain of custody recorded in the database.

Every significant action taken on your account is recorded in an append-only audit log. Covered events include login, document upload, document view, extracted data correction, report generation, and data export.

Each log entry captures the timestamp (UTC), the identity of the user who performed the action, the action type, and a structured description of what changed. You always have a complete, time-ordered record of activity in your account.

Audit logs are stored in an append-only table enforced by database triggers that reject all update and delete operations, regardless of the caller's privilege level. The record is permanent and tamper-proof.

Access control ensures that only authenticated users within your organization can view, manage, or export your documents. Permissions are enforced server-side on every request. They cannot be bypassed by manipulating the client.

Sessions automatically expire after 30 minutes of inactivity, with a warning before timeout occurs. If a workstation is left unattended, the session closes and requires re-authentication to resume. Your data is protected even when someone forgets to log out.

Every authentication event (login, logout, and failed login attempt) is recorded in the audit log with timestamp and originating details. You always know who accessed your account and when.

SOC 2 Type II certification is on our compliance roadmap. SOC 2 is the most widely recognized independent audit for SaaS security, availability, and confidentiality controls. We are building toward it now, not retrofitting later.

Our BAA coverage is in progress. The BAA for our file storage provider is signed. BAAs with our database, document processing, and hosting providers are in progress. Healthcare organizations should contact us before uploading patient data so we can confirm the current status of the full BAA chain.

Our architecture follows OWASP security guidelines with defense-in-depth protections for financial data.

Our security team is available to answer your questions. If you need details on a specific control, want to review our architecture, or have found a potential vulnerability, email us. We respond within one business day.

For enterprise security assessments, compliance documentation, or custom security requirements, reach out directly at security@invistiq.com. Please include a brief description of your question or organization so we can route your inquiry to the right person.

For general questions or to speak with the broader team, visit our contact page.