Built to pass your security review, honestly.
You're handing us visibility into your cash flows and payables. Every claim on this page is grounded in the real architecture — database-layer isolation, not just careful application code — and written by people who expect to be audited.
Six things your security team can verify right now.
We document what's live, not what's on the roadmap. Each control below maps to a specific implementation in the codebase — we'll walk through it in the architecture review.
Tenant isolation at the database layer
Multi-tenant Postgres with row-level security keyed on org membership. Your data is invisible to other tenants at the database engine — no application-layer filter can accidentally bypass it.
Least-privilege access paths
User-facing routes execute under the caller's JWT so row-level security applies automatically. The admin key is reserved for system contexts only: webhooks, scheduled jobs, and IMAP sync.
Tamper-evident audit logs
Every invoice event, approval decision, and journal entry is written to an immutable audit trail your auditors can rely on. We log who did what, when, and from which org — and those records cannot be edited.
Encryption in transit & at rest
AES-256 at rest and TLS in transit via managed Supabase infrastructure. Key rotation is handled at the platform level, not left to application configuration.
Verified payment webhooks
Razorpay webhook payloads are verified against their HMAC signature before any processing occurs. We never weaken or bypass this check — it is treated as a hard invariant in code review.
SOC 2-aligned controls
Controls are mapped to SOC 2 Trust Services Criteria and documented for review. Certification is on our roadmap — we will not claim it until the audit is complete and the report is in hand.
What we claim vs. what we won't say yet.
Most vendors pad their security page with logos and certifications. We'd rather be the vendor your security team can actually trust — which means being precise about what's true today and what's still ahead.
- Row-level security — org boundary enforced at the Postgres engine; org-scoped queries as defense-in-depth on top.
- Least-privilege routing — user routes run under the caller's JWT; service-role key used only for system contexts.
- Tamper-evident audit logs — immutable event trail across invoices, approvals, and journal entries.
- AES-256 encryption at rest and TLS in transit via managed Supabase infrastructure.
- Webhook signature verification — HMAC-verified Razorpay payloads; bypass is a hard code-review block.
- SOC 2-aligned controls — documented and mapped to Trust Services Criteria; available for your questionnaire.
- No SOC 2 certificate yet. Controls are aligned and audit-ready. We're on track for a Type I audit — we will announce it when the report exists, not before.
- No SSO / SAML yet. It's on the roadmap and a common request from enterprise teams. We'll tell you honestly when it ships.
- No penetration test report yet. We're commissioning an independent pentest and will share findings — including remediated issues — when complete.
- No uptime SLA yet. We track availability and will publish an SLA once we have enough operational history to stand behind a number.
We're happy to fill out your security questionnaire, share the architecture data-flow diagram, and sign a DPA. Reach out and we'll turn it around fast.
What a review with us actually looks like.
We've structured onboarding so your security team can move fast without cutting corners. Here's the typical sequence.
Architecture walkthrough
A 30-minute call with the founder walking through the data-flow diagram: how invoices enter, how org boundaries are enforced, where credentials live, and which routes use which keys. Your security lead is welcome.
Security questionnaire turnaround
Send us your vendor security questionnaire. We aim to return a completed response within five business days. We answer every question honestly — including the ones where the answer is “not yet.”
Data Processing Agreement
We have a standard DPA ready to execute. If your legal team needs amendments, we can work through them before the pilot starts — no surprises at signing.
Ongoing disclosure
We notify customers of material security events promptly. We also share the architecture diagram and updated control documentation as the product evolves — you shouldn't have to chase us for it.