Voice Invoice Pro
Security
How Voice Invoice Pro protects tenant data, backend secrets, invoice records, and admin access.
Security Model
Voice Invoice Pro separates the mobile app, backend API, admin portal, and server-side secrets. Mobile builds send tenant identifiers and API keys, while OpenAI, SMTP, database, and payment provider secrets stay on the backend.
Tenant Controls
- Tenant API keys are hashed in the database.
- Invoice writes are scoped to the authenticated tenant.
- Tenant branding and tax defaults are managed through the admin portal.
Admin Controls
- Admin access uses server-side PHP sessions.
- Admin forms use CSRF tokens.
- Admin users are stored with password hashes, not plain text passwords.
Operational Controls
- API endpoints use tenant authentication headers.
- Basic rate limiting is enabled on backend requests.
- Email delivery has queue and retry controls.
- Production deployments should use HTTPS, restricted CORS origins, secure backups, and server monitoring.
Responsible Disclosure
If you believe you have found a security issue, contact us through the contact page and include enough detail to reproduce the issue safely.