SECURITY
Security
Last updated: May 11, 2026
This page summarizes the technical and organizational controls we use to protect your data. The full legal-grade detail lives in the Privacy Policy and sub-processors page.
Encryption
- In transit: TLS 1.3 on every endpoint, HSTS with preload
- At rest: AES-256 on Cloudflare R2 and D1
- Passwords: Argon2id with per-user salt; we cannot read your plaintext password
Retention
- Uploaded files: maximum 1 hour; an automated cron deletes them then purges the R2 keys
- Audit log: metadata only (size, encoding, row count, parse status). 13 months. No file contents.
- HTTP logs: 90 days, IP-restricted access
- Account data: until you delete your account, then 30-day soft delete, then permanent deletion
Sub-processor controls
- Files never leave our infrastructure in their original form
- The only third-party model we call is Anthropic Claude Haiku 4.5, and only with an anonymized sample (placeholders for amounts, names, IBANs, NIP/VAT IDs)
- The Anthropic DPA contractually prohibits training on customer data
- Full sub-processor list, locations, transfer mechanisms: /sub-processors
Application controls
- Rate limiting on every public endpoint
- Strict Content Security Policy (no
unsafe-eval, no third-party scripts) - CSRF tokens on every state-changing request
- Input validation via Zod schemas at API boundaries
- Least-privilege access (single developer, audited admin actions)
- Dependency audit weekly (
npm audit); high-severity issues patched within 7 days
What we do not do
- We do not connect to your bank (no Plaid, Tink, OAuth, Open Banking)
- We do not store credit card data (Lemonsqueezy is PCI DSS-certified)
- We do not use your data to train AI models — ours or any sub-processor's
- We do not run any tracking script (no Google Analytics, no Facebook Pixel)
Reporting a vulnerability
If you find a security issue, please email hi@checkunpaidinvoices.com with the subject line "Security: vulnerability report". We acknowledge within 24 hours on business days. We do not currently run a paid bounty program, but we credit responsible reporters in the changelog on request.
Please do not publicly disclose a vulnerability before we have had reasonable time to fix it (we target 90 days).
Compliance posture
- GDPR-compliant: Polish data controller, EU data residency, SCC + DPA for US sub-processors
- No SOC 2 audit yet — we are too small for a finance team to justify the spend; we re-evaluate at every plan tier above Pro
- No ISO 27001 certification for the same reason
Last updated: 2026-05-11.