Security

• In transit: All traffic between your browser, our edge network, and our origin services is encrypted using TLS 1.2 or higher with modern cipher suites (no SSLv3, TLS 1.0, or TLS 1.1).
• At rest: Application data is stored on managed databases and object stores with AES-256 encryption at rest, enabled by default through our cloud providers.
• Secrets: API keys and credentials are stored in a managed secret store, scoped per environment, and rotated when staff change roles.

Invoice details you enter in the Studio stay on your device during drafting and PDF generation. We use client-side libraries in your browser to produce the PDF output; we do not upload invoice contents to our servers for rendering.

When a PDF download succeeds, we record account-level usage metadata — the number of credits consumed — so we can operate billing and prevent abuse. Invoice history shown in the Studio is stored locally in your browser.

If you send us an invoice or PDF in a support request, we handle it only to investigate your issue and delete it when the ticket is closed, unless retention is required by law.

• Production access is restricted to a small number of authorised engineers.
• Two-factor authentication is mandatory for all production systems.
• Access is granted on a least-privilege basis and reviewed quarterly.
• All production access is logged and reviewed.
• Offboarded staff are revoked from all systems within 24 hours.

Invoice Studio Oussama is hosted on globally distributed serverless infrastructure that provides automatic patching, DDoS protection, network isolation, and isolated tenancy. Our edge network terminates TLS at the closest point of presence, reducing the attack surface of our origin.

Where possible we use managed services with built-in encryption, auditing, and backups, rather than rolling our own.

Card details are never sent to our servers. All payment information is collected directly by Stripe's embedded checkout and processed inside Stripe's PCI DSS Level 1 environment. We only receive a tokenised reference to the transaction (the last four digits of the card, brand, country, and amount).

Stripe's security posture and certifications are available at stripe.com/docs/security.

We use a small number of trusted third-party services to run Invoice Studio Oussama. Each one is bound by a written data-processing agreement and contractual confidentiality obligations.

See the full, up-to-date list on our Sub-processors page.

We continuously monitor system health, error rates, latency, and abnormal access patterns. Logs are retained for at least 30 days and are queryable for incident investigation. Sensitive data is redacted before being written to logs.

We have a written incident-response plan that covers detection, containment, eradication, recovery, and post-mortem. In the event of a confirmed personal-data breach that is likely to affect customers, we will:

• Notify affected customers without undue delay, and within 72 hours where required by law.
• Provide a clear description of what happened, what data was affected, and what we are doing about it.
• Cooperate with regulators and law-enforcement authorities as required.
• Publish a public post-mortem when appropriate.

• PCI DSS: handled by Stripe (Level 1). We are out-of-scope for cardholder data.
• GDPR / UK GDPR: Oussama acts as a data controller for account and billing data. Invoice data processed in the Studio stays on your device. See our Privacy Policy and Data Processing Agreement.
• CCPA / CPRA: California residents have data-rights requests available at support@oussama.com.
• SOC 2: our managed-services providers (Stripe, Vercel) hold SOC 2 Type II reports. Oussama does not currently hold a SOC 2 report of its own.

If you discover a security vulnerability or believe that an account is compromised, please email support@oussama.com with the subject line “Security”. We respond to security reports within one business day and will work with you to validate and remediate the issue.

Please act in good faith: avoid privacy violations, data destruction, or service disruption while investigating. We will not pursue legal action against good-faith researchers who follow these guidelines.