Pause-on-reply — chases stop the moment your client writes backApproval-first AI — nothing sends without your tone, edit, sendEmail-first reminders — polite, professional, on your brand (SMS & WhatsApp coming soon)Promise-to-pay tracking — never lose a soft commitment againCash-flow recovered, quietly — built by operators, not marketersWorldwide — multi-currency, multi-channel, every timezonePause-on-reply — chases stop the moment your client writes backApproval-first AI — nothing sends without your tone, edit, sendEmail-first reminders — polite, professional, on your brand (SMS & WhatsApp coming soon)Promise-to-pay tracking — never lose a soft commitment againCash-flow recovered, quietly — built by operators, not marketersWorldwide — multi-currency, multi-channel, every timezone

Security

Built so your client list never leaks.

InvoiceDistrict holds your client contacts, invoice amounts, and the wording you send under your name. We treat that as sensitive by default. Here is how it is protected.

Encryption in transit

All traffic is served over HTTPS with TLS 1.2 or higher. HSTS is enforced on the production domain.

Encryption at rest

Application data is stored encrypted at rest using AES-256 by our managed Postgres provider.

Row-level access control

Every table that holds customer data has row-level security policies. You can only ever read or write your own rows.

Hardened infrastructure

Hosting runs on cloud providers with SOC 2 controls, isolated environments, automated backups, and least-privilege access. InvoiceDistrict itself is not currently SOC 2 audited as an organization.

Data residency & GDPR

Primary data is stored in the EU. Mogomotsi Hawk Dingalo (trading as InvoiceDistrict) acts as data controller for account data. Payment data is handled by PayPal as our payment processor.

Sub-processors

We use a short, vetted list of sub-processors: cloud hosting (EU), transactional email delivery, product analytics, and PayPal for payments. Full list available on request.

Responsible disclosure

If you believe you have found a security vulnerability in InvoiceDistrict, please email security@invoicedistrict.com with a description and reproduction steps. We will acknowledge within 2 business days and keep you updated until the issue is resolved. Please give us a reasonable window to fix the issue before public disclosure, and avoid testing that would degrade service for other customers or access data that is not your own.

Account security

  • Passwords are hashed using industry-standard algorithms; we never see them in plain text.
  • New passwords are checked against the Have I Been Pwned breach database — known-leaked passwords are rejected at signup.
  • Sessions use short-lived tokens with automatic rotation.
  • You can sign out of all sessions and change your password from your account settings.

Compliance roadmap

InvoiceDistrict is an early-stage product. We do not currently hold SOC 2, ISO 27001, or HIPAA certification. We operate on top of sub-processors that do (cloud hosting, payments, email), and we are designing our internal controls so a SOC 2 Type I audit is achievable within 12 months of meaningful scale. If your procurement team needs a vendor questionnaire or a DPA today, email us and we will respond within 2 business days.

Backups & recovery

The production database is backed up automatically with point-in-time recovery. Backups are encrypted and stored in a separate region from primary data.

Questions

For DPAs, sub-processor lists, or a security questionnaire, email support@invoicedistrict.com.