Support & Resources

Security

8 minute read · Written by admin · Last updated 22 May 2026

Invoice Stack uses industry-leading security best practices to secure your business data and is committed to transparency about how we use and secure your data. Here is a summary of what data we access and how we keep it secure.

On this page

At the end of this page you'll find Frequently Asked Questions - but if the information you require is not listed here, please get in touch with us by emailing us on support@invoicestack.co 

Who we are

  • Weave + Blend Limited is a company registered in England and Wales, registration number 13063973
  • Registered Address: St. Brandon's House, Great George Street, Bristol BS1 5QT United Kingdom
  • We are registered with the Information Commissioner's Office under the UK Data Protection Act (ZB293185)

How users access Invoice Stack

  • HubSpot users can access the Invoicing or Reporting view inside HubSpot via a deal card. HubSpot supports access control permissions for deals and cards. Access to the Invoice Stack window is secured by a signed time-limited access token released when a signed request from HubSpot is received
  • An admin dashboard allows connections and preferences to be managed, but no invoice data is accessible. Access to the dashboard is secured with a username and encrypted password (bcrypt).
  • Invoice data is synced to HubSpot deals via deal properties. HubSpot supports access control permissions for deal properties.

Data Access and Storage

Storage

Our app will store the following data in our database. This data is stored by our cloud data provider, AWS, which is ISO certified, in the eu-west-1 region (Ireland).

Data stored:

  • Any invoice data saved or synced via the app (e.g. line items, totals)
  • Basic deal data such as name, total and currency, and the ID of your Xero/QBO contact, for any deal saved or synced via the app
  • Session and access data such as encrypted OAuth tokens
  • Identity info, such as username and encrypted password for the app dashboard itself

Invoice Stack processes but does not store customer PII unless embedded in invoice content (e.g. line items) by the user. We only store contact IDs from your accounting platform.

HubSpot Data

When you connect Invoice Stack to HubSpot we request the following permissions:

  • Deal Objects read/write
  • Invoice Objects read/write
  • Contact Objects read
  • Company Objects read
  • Quote objects read
  • Object owners read
  • Deal Properties read/write
  • Invoice Properties read/write
  • Timeline
  • Automation
  • E-Commerce (product library read/write)
  • (Optional) Files, Sales Email Read (Opt in basis - if “Attachments” functionality is enabled)

Access to HubSpot data is via OAuth 2.0 connections with refresh tokens encrypted by AES.
We are a Certified by HubSpot app – which means our app has passed additional security and usage checks by the HubSpot team.

Xero Data

When you connect Invoice Stack to Xero we request the following permissions:

  • Open ID / Offline Access / Profile – this gives the app basic information about your user
    and allows it to access Xero data when you are not currently using Xero
  • Accounting Transactions – used to read and write invoice data
  • Accounting Contacts – used to read and write contact data
  • Accounting Settings (Read Only) – used to access Currency, Account, Tax and Tracking
    Data

Access to Xero data is via OAuth 2.0 connections with refresh tokens encrypted by AES.
We are a certified Xero App Partner – which means our app has passed additional security and usage checks by the Xero team.

QuickBooks Online Data

When you connect Invoice Stack to QuickBooks Online we request the following permissions:

  • Open ID / Offline Access / Profile – this gives the app basic information about your user
    and allows it to access QuickBooks data when you are not currently using QuickBooks
  • Accounting – used to read and write invoice data

Access to QuickBooks Online data is via OAuth 2.0 connections with refresh tokens encrypted by AES.

Vulnerability Detection

  • We undertake annual web application penetration testing by an independent third party against the following benchmarks:
  • SANS Top 25 Full Coverage
  • OWASP Top 10 Full Coverage
  • OWASP Top 10 API Full Coverage
  • PCI DSS 6.2.4 Requirement Full Coverage
  • A copy of our most recent penetration test is available on request
  • Automated vulnerability scanning is in place for all server and application software
  • Application monitors provide 24/7 alerts for downtime and SSL certificate compliance

Storage of Data

  • All communication between Invoice Stack and other services is encrypted with TLS >=1.2
  • All data is hosted by Amazon Web Services in the eu-west-1 region, AWS maintains ISO 27001, SOC 2, and many other certifications
  • We use industry standard encryption to store data, encrypted at rest, using AES-256
  • Backup retention is 30 days
  • Customer Data is retained for a minimum of 30 days and can be deleted upon request

Security Best Practices

  • Access to servers, source code, and third-party tools are secured with two-factor auth.
  • We use strong, randomly-generated passwords that are never re-used
  • Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data
  • Employees and contractors are subject to NDA and background checks
  • We don’t copy production data to external devices (like personal laptops)
  • Code written by any developer is signed off by at least one other person before committing.
  • Code is tested in a staging environment against a QA checklist before deploying to production.

Third-party data processors

We only work with third-party suppliers that have strict data protection policies and are willing to commit to data processing agreements that preserve the privacy of our users and their data. We review processors on an annual basis.

A copy of these third party processors is available on request.

Frequently Asked Questions

How do I report a potential vulnerability or security concern?
Please reach out to the team at support@invoicestack.co

Do you maintain any security certifications such as SOC 2 or ISO 27001?
While we'd eventually love to achieve these certifications, we don't hold them at this time.

What insurance do you carry?
We have Professional Liability cover for up to £1,000,000

How do you store my credit card data for subscription purchases?
Invoice Stack does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

 

Give Invoice Stack a try

Getting started with Invoice Stack is easy! Try it for yourself with a 21-day free trial, no credit card required and get set up in minutes. Or, if you'd like to take a deeper dive or show your team - book a demo slot at a time that suits you.

Start Free Trial Book a Demo