Security Posture

At Invoice My Clients, the security of your data is our highest priority. This document outlines our comprehensive security posture — from the cloud infrastructure and encryption protocols that protect your data, to the safeguards surrounding our AI-boosted features. We believe in full transparency so you can trust our platform with your business-critical invoicing data.

Invoice My Clients is built entirely on Amazon Web Services (AWS), the world's leading cloud computing platform trusted by millions of organizations including government agencies, financial institutions, and healthcare providers. AWS operates under a Shared Responsibility Model that divides security obligations between AWS (security of the cloud) and us (security in the cloud).

Shared Responsibility Model

Under the AWS Shared Responsibility Model, AWS manages security of the cloud infrastructure, while we are responsible for how we configure and use those services securely. This dual-layer approach ensures comprehensive protection at every level.

Compliance & Certifications

AWS maintains an extensive set of compliance certifications that apply to the infrastructure underpinning Invoice My Clients:

• SOC 1, SOC 2, and SOC 3 — Independent third-party audits of security controls.
• ISO 27001, ISO 27017, ISO 27018 — International standards for information security management, cloud security, and personal data protection.
• PCI DSS Level 1 — The highest standard for payment card data security.
• HIPAA — Healthcare data protection eligibility.
• FedRAMP — US government security authorization.
• GDPR — European data protection regulation compliance.
• CSA STAR — Cloud Security Alliance certification.

For a full list of AWS compliance programs, visit: aws.amazon.com/compliance

AWS Services We Use

We leverage AWS managed services that are designed with security built-in from the ground up:

Your data is protected with industry-standard encryption at every stage:

• Data in transit: All communications are encrypted using TLS 1.2 or higher. This includes API calls, web traffic, and internal service-to-service communication.
• Data at rest: All data stored in DynamoDB, S3, and other AWS services is encrypted using AES-256 encryption managed by AWS Key Management Service (KMS).
• Database encryption: DynamoDB encryption at rest is enabled by default with AWS-owned keys, providing transparent encryption without application changes.
• File storage: All uploaded files (logos, receipts, documents) stored in S3 are encrypted with server-side encryption (SSE-S3 or SSE-KMS).

We use Amazon Cognito, a robust identity management service, to secure your account with enterprise-grade authentication:

• Multi-Factor Authentication (MFA) via Time-based One-Time Passwords (TOTP) and email verification.
• OAuth 2.0 integration with trusted providers including Google, Facebook, and Amazon for secure social sign-in.
• JWT (JSON Web Token) based session management with automatic token refresh and expiry.
• Password policies enforcing minimum length, complexity, and protection against compromised credentials.
• Per-user data isolation — every API request is scoped to the authenticated user's identity, preventing unauthorized cross-account access.
• Account lockout protections to defend against brute-force attacks.

Invoice My Clients uses artificial intelligence to help you create invoices and manage your business more efficiently. We understand that AI introduces unique security considerations, and we want to be fully transparent about how these technologies work and how your data is protected.

Amazon Bedrock (AI Model Hosting)

Our AI features are powered by Amazon Bedrock, AWS's fully managed service for foundation models. Bedrock provides critical security guarantees:

• Your data is not used to train or improve foundation models — AWS Bedrock explicitly guarantees this.
• All model inference requests are encrypted in transit (TLS 1.2+) and processed in isolated compute environments.
• Data stays within the AWS region (US East) — it is not transmitted to third-party model providers.
• AWS Bedrock is SOC, ISO, and HIPAA compliant.
• All Bedrock API calls are authenticated and logged via AWS CloudTrail for auditability.

For more about Amazon Bedrock security and compliance, visit: aws.amazon.com/bedrock/security-compliance

Anthropic Claude Models

We use Anthropic's Claude models (Claude Sonnet 4.5 and Claude Haiku 4.5) accessed exclusively through Amazon Bedrock. This means:

• Anthropic does not receive, store, or have access to your data — all requests stay within AWS infrastructure.
• Claude models are designed with Constitutional AI safety methods to avoid harmful outputs.
• No customer data is used for model training — this is contractually guaranteed by both AWS and Anthropic.
• Claude models are evaluated for safety and reliability by independent auditors.

How Your Data Is Handled by AI

We have implemented strict controls to ensure your business data is handled responsibly when interacting with AI features:

Our Model Context Protocol (MCP) server provides a secure bridge between AI agents and your invoice data:

• All MCP requests require valid Cognito JWT authentication — no anonymous access is permitted.
• API key authentication with SHA-256 hashing for machine-to-machine communication.
• Per-session context isolation ensures AI agents can only access data belonging to the authenticated user.
• All operations pass through AWS AppSync authorization rules before reaching the database.
• Request validation through Zod schemas prevents injection attacks and malformed data.

We are committed to giving you full control over your data:

• You can request a complete export of all your data at any time.
• You can request full deletion of your account and all associated data — see our Data Deletion Policy.
• We do not sell, rent, or share your personal or business data with third parties for marketing purposes.
• Our Privacy Policy details exactly what data we collect and how it is used.
• We comply with applicable data protection regulations, including GDPR and CCPA principles.

We maintain a structured incident response plan to rapidly address any security events:

• AWS CloudTrail logging for all API activity, providing a complete audit trail.
• Amazon CloudWatch monitoring with real-time alerting on anomalous behavior.
• Automated threat detection through AWS infrastructure-level protections.
• Defined escalation procedures with designated security response personnel.
• Commitment to notifying affected users within 72 hours in the event of a data breach, in compliance with applicable regulations.

Continuous Improvement

Security is not a one-time effort — it's an ongoing process. We continuously monitor our systems, review access patterns, update dependencies, and adapt to emerging threats. We stay current with AWS security advisories, Anthropic safety research, and industry best practices to ensure your data remains protected.

Related Documents

Security Questions & Contact

If you have questions about our security practices or want to report a security concern, please contact our security team: