Security Overview
At faktoora, security is foundational to everything we build. As an e-invoicing platform handling sensitive financial data, we hold ourselves to the highest standards of data protection, access control, and operational security.
Our Security Principles
| Principle | How we apply it |
|---|---|
| Confidentiality | Data classification, strict access restrictions, encryption in transit and at rest |
| Integrity | Parameterised database queries, immutable tamper-evident audit trail, backup integrity verification |
| Availability | Regular database and file backups, automatic service recovery, tested disaster recovery procedures |
| Least privilege | Role-based access control, least-privilege service execution, restricted production access |
| Defence in depth | Multiple security layers across network, infrastructure, application, and data |
| Separation of duties | Mandatory code review before deployment, controlled production deployment process |
| Secure by default | Hardened service images, protected branches, automated CI gating, centralised secrets management |
Encryption
In Transit
All external communication is encrypted using TLS 1.2 or higher. This includes API calls, webhook deliveries, email transmission, Peppol e-invoice delivery, and all third-party integrations.
At Rest
All production data is encrypted at rest. Encryption keys are managed under a split-knowledge control policy — no single individual can decrypt production data alone. This covers databases, file storage, and backups.
Application-Level
Passwords are hashed using a strong adaptive hashing algorithm with per-user salts. API key secrets are hashed at creation and cannot be retrieved afterward. Sensitive integration credentials are encrypted at rest and stored separately from the data they protect. Audit log entries are chained using cryptographic hashes for tamper detection.
Access Control
Application Access
faktoora supports multiple authentication methods:
- Email and password with brute-force protection and rate limiting
- Single Sign-On (SSO) via OIDC for enterprise customers
- API keys for programmatic integrations, hashed at rest
Our authorisation model uses role-based access control with fine-grained permissions, per-login access scoping for multi-company accounts, and subscription-tier feature flags.
Production Infrastructure
Production access is restricted to explicitly authorised personnel. Our production environment is fully isolated — no automated systems have access to production. Deployments require explicit approval and are performed by authorised individuals only.
Access Lifecycle
- New team members receive role-appropriate access; production access requires management approval
- Quarterly access reviews verify all active permissions
- On departure, access is revoked immediately and shared secrets are rotated
Secure Development Lifecycle
Every code change follows a structured process:
- Tracked changes — all changes are linked to documented requirements with acceptance criteria
- Branch isolation — no direct changes to production code; all work is developed and reviewed in isolation
- Automated quality and security gates — every change must pass automated checks including code quality, testing, and security scanning before review
- Mandatory peer review — every change requires independent approval before it can reach production
- Staged rollout — changes progress through multiple environments before reaching production
Container Security
All services run in hardened, minimal-footprint environments with reduced attack surface and least-privilege permissions. We maintain a Software Bill of Materials (SBOM) for supply chain transparency.
Dependency Management
Third-party dependencies are continuously monitored for known vulnerabilities. New dependencies require explicit approval before introduction.
Infrastructure Security
Environment Separation
Development, testing, and production environments are strictly separated. Production is fully isolated and cannot be reached from any other environment.
Network Security
Our infrastructure uses multiple layers of network protection including cloud-level firewalls, host-level firewalls, overlay network encryption, and application-level authentication. Data stores are never directly exposed to the internet.
Audit Logging
All user actions are recorded in an immutable, tamper-evident audit trail. Entries cannot be modified or deleted after creation, and their integrity can be independently verified.
Secrets Management
Application secrets are managed through dedicated secrets management infrastructure — never stored in source code or environment files. Access to secrets is restricted to authorised services and personnel.
Questions?
For security inquiries, contact security@faktoora.com.
To report a vulnerability, see our Vulnerability Disclosure page.