Security

6 minute read · Written by admin · Last updated 13 Aug 2024

Invoice Stack uses industry-leading security best practices to secure your business data and is committed to transparency about how we use and secure your data. Here is a summary of what data we access and how we keep it secure.

At the end of this page you'll find Frequently Asked Questions - but if the information you require is not listed here, please get in touch with us by emailing us on support@invoicestack.co 

Who we are

  • Weave + Blend Limited is a company registered in England and Wales, registration number 13063973
  • Registered Address: St. Georges Court, St. Georges Road, Bristol BS1 5UG United Kingdom
  • We are registered with the Information Commissioner's Office under the UK Data Protection Act (ZB293185)

How users access Invoice Stack

  • HubSpot users can access the Invoicing or Reporting view inside HubSpot via a deal card. HubSpot supports access control permissions for deals and cards. Access to the Invoice Stack window is secured by a signed time-limited access token released when a signed request from HubSpot is received
  • An admin dashboard allows connections and preferences to be managed, but no invoice data is accessible. Access to the dashboard is secured with a username and encrypted password (bcrypt).
  • Invoice data is synced to HubSpot deals via deal properties. HubSpot supports access control permissions for deal properties.

Data Access and Storage

Storage

Our app will store the following data in our database. This data is stored by our cloud data provider, AWS, which is ISO certified.

Data stored:

  • Any invoice data saved or synced via the app
  • Basic deal data such as name, total and currency, and the ID of your Xero contact, for any deal saved or synced via the app
  • Session and access data such as encrypted OAuth tokens
  • Identity info, such as username and encrypted password for the app dashboard itself

HubSpot Data

When you connect Invoice Stack to HubSpot we request the following permissions:

  • Deals – read and write 
  • Owners – read
  • Contacts – read
  • Companies – read
  • Deal Properties – read and write
  • Line Item Properties – read and write
  • E-Commerce – this gives the app access to your “Products”, which allows us to auto-fill
    product data into the app
  • Timeline – allows the app to post Invoice Paid status to deal timelines
  • Automation – ability to process events from HubSpot workflows

Access to HubSpot data is via OAuth 2.0 connections with refresh tokens encrypted by AES.
We are a Certified by HubSpot app – which means our app has passed additional security and usage checks by the HubSpot team.

Xero Data

When you connect Invoice Stack to Xero we request the following permissions:

  • Open ID / Offline Access / Profile – this gives the app basic information about your user
    and allows it to access Xero data when you are not currently using Xero
  • Accounting Transactions – used to read and write invoice data
  • Accounting Contacts – used to read and write contact data
  • Accounting Settings (Read Only) – used to access Currency, Account, Tax and Tracking
    Data

Access to Xero data is via OAuth 2.0 connections with refresh tokens encrypted by AES.
We are a certified Xero App Partner – which means our app has passed additional security and usage checks by the Xero team.

QuickBooks Online Data

When you connect Invoice Stack to QuickBooks Online we request the following permissions:

  • Open ID / Offline Access / Profile – this gives the app basic information about your user
    and allows it to access QuickBooks data when you are not currently using QuickBooks
  • Accounting – used to read and write invoice data

Access to QuickBooks Online data is via OAuth 2.0 connections with refresh tokens encrypted by AES.

Vulnerability Detection

  • We undertake annual web application penetration testing by an independent third party against the following benchmarks:
  • SANS Top 25 Full Coverage
  • OWASP Top 10 Full Coverage
  • OWASP Top 10 API Full Coverage
  • PCI DSS 6.2.4 Requirement Full Coverage
  • A copy of our most recent penetration test is available on request
  • Automated vulnerability scanning is in place for all server and application software
  • Application monitors provide 24/7 alerts for downtime and SSL certificate compliance

Storage of Data

  • All communication between Invoice Stack and other services is encrypted with TLS >=1.2
  • All data is hosted by Amazon Web Services in the eu-west-1 region, AWS maintains ISO 27001, SOC 2, and many other certifications
  • We use industry standard encryption to store data, encrypted at rest, using AES-256
  • Backup retention is 35 days
  • We retain client data for 12 months after account close, or on request

Security Best Practices

  • Access to servers, source code, and third-party tools are secured with two-factor auth.
  • We use strong, randomly-generated passwords that are never re-used
  • Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data
  • Employees and contractors are subject to NDA and background checks
  • We don’t copy production data to external devices (like personal laptops)
  • Code written by any developer is signed off by at least one other person before committing.
  • Code is tested in a staging environment against a QA checklist before deploying to production.

Third-party data processors

We only work with third-party suppliers that have strict data protection policies and are willing to commit to data processing agreements that preserve the privacy of our users and their data. We review processors on an annual basis.

A copy of these third party processors is available on request.

Frequently Asked Questions

How do I report a potential vulnerability or security concern?
Please reach out to the team at support@invoicestack.co

Do you maintain any security certifications such as SOC 2 or ISO 27001?
While we'd eventually love to achieve these certifications, we don't hold them at this time.

What insurance do you carry?
We have Professional Liability cover for up to £1,000,000

How do you store my credit card data
Invoice Stack does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

 

Give Invoice Stack a try

Getting started with Invoice Stack is easy! Try it for yourself with a 21-day free trial, no credit card required and get set up in minutes. Or, if you'd like to take a deeper dive or show your team - book a demo slot at a time that suits you.