256-bit encryption
Provider credentials are encrypted at rest with AES-256-GCM.
Security
Trust controls for invoice data, payments, and client portals.
Invoicycle separates payment collection from billing records, encrypts connected-provider credentials, and keeps client access behind tokenized portal routes.
GDPR compliant
Consent, export, retention, and deletion workflows are built into customer data handling.
99.9% uptime target
Production operations are designed around monitored VPS hosting and database backups.
SOC 2 ready
Controls map to access, change management, vendor review, and incident response.
Data protection
Clear boundaries around what is stored.
Payment providers handle sensitive card and bank details. Invoicycle stores the billing data required to create invoices, automate reminders, and reconcile payment status.
Account profile, business details, client contacts, invoice records, line items, and payment status metadata.
Encrypted provider credentials for AI, SMTP, PayPal, Stripe, and WhatsApp when users connect their own accounts.
Client portal tokens, notification records, usage counters, and operational audit signals needed to run billing workflows.
Security FAQ
Common trust questions.
Does Invoicycle store card or bank details?
No. Stripe and PayPal collect payment details on their hosted infrastructure. Invoicycle stores invoice status, payment URLs, and provider references.
How are API and provider keys protected?
Provider secrets are encrypted before storage and never returned to the browser after saving.
Can client portal links be guessed?
Portal access uses unguessable per-client tokens and can be disabled by removing portal access from the client record.
What is the retention policy?
Account records stay available until deleted by the workspace owner. Browser-only guest drafts expire after 30 days on the local device.