Core technical controls

Credentials protected in Stripe Secret Store

InvoiceXpress credentials are validated and stored with Stripe-managed encryption.

Webhook signature verification

Incoming requests validate Stripe Signature to ensure source authenticity.

Idempotency and duplicate prevention

The platform prevents repeated document creation for the same payment event.

Tenant isolation by account

Every record is scoped by Account ID with Row Level Security enabled in the data layer.

Synchronization logs for auditability

Relevant events are logged with status, timestamps, and generated document IDs.

Least-privilege access model

The app uses only the permissions required to sync payments and issue documents.

Compliance and data protection

  • Data processing is restricted to invoicing operations, with no third-party marketing usage.
  • Data sharing is limited to essential processors: Stripe, InvoiceXpress, and Supabase.
  • Retention and deletion policies are documented in the Privacy Policy.
  • Data subject rights are supported under GDPR (access, rectification, deletion, objection, portability).

Recommended customer practices

  • Use API keys with periodic rotation and internal access controls.
  • Validate tax and sequence settings before enabling automatic synchronization.
  • Monitor sync alerts and review logs whenever operational errors occur.
  • Restrict Stripe Dashboard access by role and enforce multi-factor authentication.

Need to validate internal requirements?

Our support team can help map technical, tax, and audit requirements to your integration workflow.