Infacam
FeaturesInfacam AIHow it worksPricingFree toolsBlogDocs
Log inStart free

Security & data protection

Your invoices, contracts, and client records are some of the most sensitive data in your business. Here’s how we protect them.

Where your data lives

  • Database + file storage: Supabase (Frankfurt, EU). ISO 27001 + SOC 2 Type II certified.
  • Email delivery: Resend (USA).
  • Payments: Stripe (USA). PCI DSS Level 1 certified.
  • Error tracking: Sentry (EU). Personal identifiers are scrubbed before being sent.
  • Analytics: PostHog (EU). Respects DNT, no PII in events.
  • Customer support: Crisp + Zoho Desk, only when you choose to contact us.

Encryption

  • In transit:TLS 1.2 or higher on every connection. HTTP → HTTPS redirects + HSTS.
  • At rest: AES-256 encryption on the database and object storage layer (Supabase platform default).
  • Passwords: bcrypt-hashed by Supabase Auth. We never see the plaintext.

Workspace isolation

Every row in our database carries a user_id. Postgres row-level security policies enforce that no authenticated user can ever read or write rows that don’t belong to their workspace. This is checked at the database layer, not in application code, so even a serious application-level bug cannot leak cross-tenant data.

Backups & durability

  • Automated daily backups, retained for 7 days.
  • Point-in-time recovery to any 5-minute window in the last 7 days.
  • Database replicated across multiple availability zones.
  • Object storage replicated within the EU region.

Authentication & session security

  • Email + password (bcrypt) and Google OAuth.
  • Multi-factor authentication (TOTP) available in account settings.
  • HTTP-only, secure, SameSite session cookies.
  • Automatic suspicious-login detection + email alert.

Compliance

  • US privacy laws (CCPA/CPRA and similar): we operate as your data controller, with documented retention, export, and deletion rights. See privacy policy.
  • Tax records retention: tax-related records (e.g. invoices) are retained for the period required by applicable US federal and state tax law, even after account deletion, in anonymised form.
  • Subprocessor list: the providers above are our only data processors. Material changes are notified at least 14 days in advance.

Your rights

  • Export: one-click JSON export of every record you own, anytime.
  • Delete: account closure soft-deletes immediately, permanent deletion after a 30-day recovery window.
  • Correct: inline editing of any record. For identity / login data, email support@infacam.com.
  • Object: opt out of analytics any time via the account settings.

Incident response

If we ever experience a security incident affecting your data, we’ll notify you by email within 72 hours, with a clear description of what happened, what data was involved, and what we’re doing about it.

Reporting a vulnerability

Found a bug or potential vulnerability? Email support@infacam.com. We respond within 48 hours and credit responsible disclosures (with your permission) on this page.

Questions?

Anything else — reach us at support@infacam.com or via the contact page. We’ll happily provide a DPA, share infrastructure diagrams, or walk through our controls in detail.

Infacam

Contracts, invoices, projects, time and payments — one clean workspace for freelancers and small studios.

Newsletter

Monthly: what shipped, what’s next, US freelancing tips.

Product

  • Features
  • Infacam AI
  • How it works
  • Sales tax invoicing
  • Pricing
  • Changelog

Resources

  • Free tools overview
  • Hourly rate calculator
  • Sales tax calculator
  • Late-payment calculator
  • Blog
  • Docs

Company

  • About
  • Contact
  • Talk to us
  • Security
  • Terms
  • Privacy
  • Refund policy

© 2026 Infacam. Built for independent professionals.

Log inStart freeClient portalBuilt in the US · For the world

Free forever for 5 clients. No card.

Start free