Specific security controls for teams that needauditable trust

Your invoice data is encrypted at rest and in transit. Role-based access controls who sees what. Key invoice lifecycle events stay on the invoice timeline so teams can review handoffs and disputes.

Get started Contact sales

Transparent architecture, auditable by design

Review our encryption implementation, access control logic, and data handling through detailed security documentation and third-party audits. No trust-us badges required when the architecture is independently verifiable.

Self-host for complete data sovereignty

Deploy Conduitt on your own infrastructure with Docker or Kubernetes. Your invoice data never leaves your network. Full control over backups, retention, and access policies.

Published legal terms for procurement review

Privacy policy, DPA with subprocessor list, refund policy, and service terms are published and versioned. Your procurement and legal teams can review them before you sign up.

Infrastructure security by default

Every deployment includes these protections out of the box, whether you use our managed cloud or self-host.

01TLS 1.3 for all data in transit, AES-256 encryption for data at rest — your invoice data is encrypted everywhere it exists
02CSRF tokens on all state-changing requests with SameSite cookie enforcement — blocks cross-site attacks that could modify your invoices
03Route-level rate limits on auth and API routes — helps stop abuse before it affects your team
04Managed infrastructure on Vercel edge with DDoS protection and WAF rules — your team stays productive during attacks
05Structured security event logging for sensitive workflows — keep operational review gin concrete records

TLS 1.3 for all data in transit, AES-256 encryption for data at rest — your invoice data is encrypted everywhere it exists

CSRF tokens on all state-changing requests with SameSite cookie enforcement — blocks cross-site attacks that could modify your invoices

Route-level rate limits on auth and API routes — helps stop abuse before it affects your team

Managed infrastructure on Vercel edge with DDoS protection and WAF rules — your team stays productive during attacks

Structured security event logging for sensitive workflows — keep operational review gin concrete records

Data handling with documented boundaries

We collect only what the product needs to function. No analytics trackers on invoice pages. No selling data to third parties. Full export and deletion capabilities.

01Privacy policy and DPA with named subprocessors published
02Export all data as JSON or CSV at any time, no vendor lock-in
03Zero ad-tech integrations, zero data resale, zero third-party trackers on invoice pages
04Self-host option for teams that require data residency or air-gapped deployments
05Documented retention periods with automated deletion on account closure

Export all data as JSON or CSV at any time, no vendor lock-in

Zero ad-tech integrations, zero data resale, zero third-party trackers on invoice pages

Self-host option for teams that require data residency or air-gapped deployments

Documented retention periods with automated deletion on account closure

Granular access control at every layer

Organization roles, TOTP-based MFA, scoped API keys, and timeline history give you precise control over who accesses invoice data and what they can do with it.

01Organization roles: Owner, Admin, Member, Viewer with granular permission sets
02TOTP-based two-factor authentication with enforced enrollment for admin roles
03API keys scoped by environment and permission, with one-click rotation and revocation
04Timeline and audit records for key workflow events
05Workspace isolation with row-level security enforced at the database layer

Organization roles: Owner, Admin, Member, Viewer with granular permission sets

TOTP-based two-factor authentication with enforced enrollment for admin roles

API keys scoped by environment and permission, with one-click rotation and revocation

Timeline and audit records for key workflow events

Workspace isolation with row-level security enforced at the database layer

Documentation your security team needs

Every document listed here is published and available before you create an account.

Data Processing Agreement

Standard contractual clauses, named subprocessors, data residency details, and breach notification commitments. Ready for your DPO review.

Privacy policy

What data we collect, why we collect it, how long we keep it, and how to request access, correction, or deletion. GDPR and CCPA aligned.

Audit trail coverage

Key invoice lifecycle events, reminder sends, status changes, and security-sensitive actions are captured for review. Every-action immutable audit coverage is not included.

Deployment flexibility

Managed cloud with SOC 2-aligned controls, or self-hosted on your own infrastructure with Docker/Kubernetes. Your compliance requirements determine the deployment model.

Subprocessor disclosure

Every third-party vendor that processes service data is named in the DPA with their role, data access scope, and geographic location.

Review-ready documentation

Security whitepaper, privacy policy, DPA, and terms of service are versioned and available at published URLs for procurement review.

Security FAQ

Yes. Start with the published privacy policy and DPA at conduitt.io/privacy and conduitt.io/dpa. For deeper technical review, the full codebase is on GitHub. We also provide a security whitepaper on request for enterprise evaluations.

Security reviews should not start from a blank page

We will walk your security team through our architecture, share the codebase, and answer technical questions. No NDAs needed to start — the code is already public.

Start the workflow Request review