invoices.mt
Log inGet started free
FeaturesPricingTemplatesFAQLog inGet started free

Legal

Security

Effective date: 6 June 2026 · invoices.mt, Malta

We know your invoicing data is sensitive, so security is built into invoices.mt from the ground up. This overview explains the main measures we use to protect your account and your clients' data. Security is a shared responsibility, so it also covers the part you play.

Infrastructure

The Service runs on trusted, enterprise-grade providers. The application is hosted on Vercel and our database, authentication and file storage run on Supabase, with data held in the European Union (Ireland). We co-locate our application servers in the EU (Dublin) to keep your data within Europe and close to where it is processed.

Encryption

  • In transit: all traffic to and from invoices.mt is encrypted with TLS (HTTPS). We do not serve the app over unencrypted connections.
  • At rest: your database records and uploaded files are encrypted at rest by our infrastructure providers.

Tenant isolation

Every workspace's data is isolated using database row-level security (RLS). Access policies are enforced at the database layer so that a request can only ever read or write rows belonging to a workspace the signed-in user is a member of. Public invoice links are served through a tightly scoped, token-based function that exposes only the single document being shared, not your wider account.

Authentication and access control

  • Passwords are stored only as salted hashes; we never store them in plain text.
  • Sessions use secure, HTTP-only cookies, refreshed safely on each request.
  • Workspace roles (owner, admin, member) limit what each member can do, and sensitive actions such as managing the team are restricted to owners and admins.
  • Internal access to production systems follows the principle of least privilege.

Payments

Card payments are handled entirely by Stripe, a PCI-DSS Level 1 certified payment processor. invoices.mt never sees or stores full card numbers. Payments on your invoices are paid directly into your own connected Stripe account, so card data never passes through our servers.

Backups and resilience

Our database is backed up regularly by our infrastructure provider with point-in-time recovery, so data can be restored in the event of a failure. Our providers operate redundant, highly available infrastructure.

Monitoring and secure development

  • We log and monitor application and platform activity to detect and investigate issues.
  • Secrets and API keys are stored in a secure environment, never committed to source control.
  • Changes are reviewed and dependencies are kept up to date to reduce the risk of known vulnerabilities.

Your part in keeping data safe

  • Use a strong, unique password and keep your login credentials private.
  • Only invite team members you trust, and remove access promptly when someone leaves.
  • Be careful with the public links you share, and tell us if you suspect any unauthorised access.

Responsible disclosure

If you believe you have found a security vulnerability, please tell us before disclosing it publicly. Email support@invoices.mt with the subject "Security" and as much detail as you can. We will acknowledge your report, investigate promptly, and keep you updated. We are grateful to researchers who report issues responsibly.

Contact

For any security question, contact support@invoices.mt.