Trust Center

Security posture, in one place.

A short summary of how AcumenInvoice handles security, what compliance work is in progress, and how we operate. For a full security questionnaire response, contact us.

Deployment model

On-Premise

No customer invoice data ever transits our infrastructure.

Data residency

Customer-controlled

Wherever the customer chooses to host the server.

Encryption at rest

AES-256

Provided by the customer's OS and database — we recommend LUKS + Postgres encryption settings.

Encryption in transit

TLS 1.2+

All HTTP endpoints. Recommended TLS 1.3.

Authentication

Local + SAML/OIDC

Customer chooses. SSO integration tested with Okta, Entra ID, Google Workspace.

Audit log

Cryptographically chained

Every workflow transition signed and timestamped; tamper-evident.

Backup

Customer-managed

Standard PostgreSQL backup tooling — pgBackRest, WAL-G, or your existing DB backup pipeline.

Vulnerability handling

security@

Reports acknowledged within 48 hours; fixes prioritized by severity.

Sub-processors

None

Because the product runs on your hardware, we have no operational sub-processors handling your data.

Compliance roadmap

Where we are, where we're going

PIPEDA alignment Documented

SOC 2 Type II (in progress) Audit window 2026 H2

ISO 27001 (planned) Scoping

Penetration test (annual) Latest: March 2026

Reporting a vulnerability

We welcome responsible disclosure. Please email hello@acumeninvoice.com with the subject line SECURITY and a description of the issue. We will acknowledge within 48 hours and coordinate a remediation timeline. We do not currently offer a paid bug bounty but credit researchers who request acknowledgement.