๐Ÿ”’ Security Overview

Your data is safe.
We built it that way.

Psilocon Valley handles invoices, client data, and payments for independent businesses. Security is not a feature we added โ€” it is the foundation we built on. Here is exactly what we do to protect you and your clients.

Authentication

How we protect your account

๐Ÿ”

Argon2id Password Hashing

The strongest password hashing algorithm available. Your password is never stored โ€” only an irreversible hash. Even we cannot read it.

โœ๏ธ

HMAC-SHA256 Signed Sessions

Every session cookie is cryptographically signed. Forged or tampered cookies are rejected before they reach your account.

โฑ๏ธ

Rate Limiting

IP-based sliding window rate limiting blocks brute force attempts on login, registration, and password reset endpoints.

๐Ÿ”‘

Account Lockout

After 10 consecutive failed login attempts, the account is temporarily locked to prevent automated attacks.

๐Ÿ“ง

Magic Link Reset

Password resets use single-use, time-limited magic links with cooldown periods to prevent abuse.

๐ŸŒ

Google OAuth

Sign in with Google delegates authentication to Google's infrastructure โ€” no password stored on our side at all.

Transport & Infrastructure

How we protect data in transit

๐Ÿ”’

HTTPS Everywhere

All traffic is encrypted with TLS. There is no HTTP fallback โ€” ever.

๐Ÿ“Œ

HSTS Preloading

HTTP Strict Transport Security is enforced for 2 years, including subdomains, and submitted to browser preload lists.

๐Ÿงฑ

Hardened HTTP Headers

Content Security Policy, X-Frame-Options, Permissions-Policy, and Cross-Origin headers are set on every response.

๐Ÿ›ก๏ธ

CSRF Protection

Every form is protected with a cryptographic CSRF token. Cross-site request forgery attacks cannot succeed.

Payments

How we protect your money

All payments are processed by Stripe โ€” the same infrastructure trusted by Amazon, Google, and millions of businesses worldwide. We never see, handle, or store card numbers, bank account details, or CVCs. Payment data goes directly from your client's browser to Stripe's servers.

Stripe is PCI DSS Level 1 certified โ€” the highest level of payment security certification available. Our integration uses Stripe Connect, meaning your earnings are held and transferred directly by Stripe, not routed through our accounts.

Privacy

What we do not do

We do not sell your data. We do not share your client list with anyone. We do not run Google Analytics, Facebook Pixel, or any third-party advertising trackers. We do not use your invoice data to train AI models or for any purpose other than running the product you signed up for.

Your clients' names, emails, addresses, and payment history are yours. We hold them in trust. We protect them. We never monetize them.

Current Status

What is implemented today

Argon2id password hashing
Active on all accounts
HMAC-SHA256 signed sessions
Active on all sessions
CSRF protection
Every form, every request
Rate limiting & account lockout
All auth endpoints
HTTPS + HSTS
2 year enforcement, preload submitted
Hardened HTTP headers
CSP, X-Frame-Options, Permissions-Policy, COOP, CORP
Zero third-party trackers
No analytics, no ad pixels
Stripe payment processing
PCI DSS Level 1 โ€” we never see card data
Audit logging
In progress โ€” every action will be logged with timestamp and IP
Two-factor authentication
Planned โ€” TOTP + SMS options
Encryption at rest
Planned โ€” PII field-level encryption

Contact

Found a vulnerability?

If you discover a security issue, please report it responsibly. Email us directly at security@psiloconvalley.com. We take every report seriously and respond within 48 hours. We do not pursue legal action against good-faith security researchers.

Ready to get started?

Professional invoicing, built on a secure foundation. Free to start.

Create Free Account โ†’