Is InvoiceStream free?

Yes! The Free plan lets you create up to 3 invoices per month with up to 2 clients and basic expense tracking. No credit card required.

How does AI receipt scanning work?

Upload or snap a photo of any receipt. Our AI extracts the vendor name, date, amount, tax, currency, and even suggests an expense category — all in seconds.

Which payment gateways are supported?

InvoiceStream supports Stripe, Razorpay, and PayPal. Each gateway is automatically routed based on the invoice currency.

Which languages are supported?

The full interface is available in English, Hindi, Spanish, French, German, Japanese, and more. Each user can select their preferred language.

How many invoice templates are available?

InvoiceStream offers 15+ professionally designed templates including modern, minimal, bold, creative, and corporate styles with decorative SVG backgrounds.

InvoiceStream

Security

Your Data is Safe With Us

InvoiceStream is built with security at its core. Here's how we protect your financial data.

Encryption in Transit

All data transmitted between your browser and InvoiceStream is encrypted using TLS 1.3. We enforce HTTPS on all endpoints.

Encryption at Rest

Your data is stored encrypted at rest on Supabase-managed PostgreSQL. Backups are also encrypted.

Row-Level Security

PostgreSQL Row-Level Security (RLS) ensures that each account can only access its own data — isolation is enforced at the database level.

Access Controls

Role-based access control with super_admin, admin, and user roles. Admin actions are logged to a tamper-evident audit trail.

Regular Backups

Supabase performs automated daily backups with point-in-time recovery. Your data is never a single point of failure.

Vulnerability Management

We perform regular security reviews. Critical vulnerabilities are patched within 24 hours. Dependencies are monitored and kept up to date.

Infrastructure Security

Hosting: InvoiceStream is hosted on Vercel’s global edge network with DDoS protection and automatic scaling. Our database is hosted on Supabase (AWS infrastructure) in the ap-south-1 (Mumbai) region.

Network Security: All API endpoints are rate-limited to prevent brute-force attacks. Requests are validated and sanitised before reaching the database.

CDN & Edge: Static assets are served via Vercel’s global CDN. No sensitive data is cached at the edge.

Application Security

Authentication: Passwords are stored using secure hashing. Session tokens are scoped to individual browser sessions and cleared on logout or tab close.

SQL Injection Prevention: All database queries are parameterised via the Supabase client SDK. Raw SQL is never constructed from user input.

XSS Prevention: React’s built-in DOM escaping prevents cross-site scripting attacks. Content Security Policy headers are enforced.

CSRF Protection: Session-based authentication with same-site cookie policies mitigate cross-site request forgery.

Admin Isolation: The admin panel at /admin/* is gated behind a super_admin role check enforced at both the component and API level.

Payment Security

InvoiceStream never stores your customers’ payment card details on our servers. All payment processing is handled by our certified PCI-DSS compliant partners:

Razorpay: PCI-DSS Level 1 certified payment gateway
Stripe: PCI Service Provider Level 1 certified
PayPal: Industry-leading payment security with buyer/seller protection

Payment webhooks are verified using cryptographic signatures before any transaction is recorded.

AI & OCR Security

When you use the AI receipt scanning feature, your uploaded receipt images are:

Sent directly to our AI vision API over an encrypted TLS connection
Not stored by AI provider after processing
Not used to train AI models
Processed and immediately discarded from our servers — only the extracted data is saved

We recommend blurring or redacting sensitive personal information (e.g., bank account numbers) from receipts before uploading.

Audit Trail

All administrative actions within InvoiceStream are logged to an immutable audit trail including:

User and company management changes
Subscription modifications
Payment reconciliation actions
Admin settings changes

Logs include the performing user, timestamp, action type, affected entity, and metadata. Logs are retained for 2 years.

Reporting a Vulnerability

We take security disclosures seriously and appreciate responsible reporting. If you discover a security vulnerability in InvoiceStream, please email us at security@invoicestream.ai with:

A description of the vulnerability
Steps to reproduce it
Potential impact assessment
Your contact information

We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 business days. We do not take legal action against good-faith security researchers.

Security Contact

security@invoicestream.ai

Please encrypt sensitive reports using our PGP key available upon request.