PayAudit - Security & Data Protection

🔒 Encryption

Data is encrypted in transit and sensitive credentials are encrypted at rest. We use proven cryptographic standards throughout the application.

TLS encryption on all client-server communication (enforced by our hosting provider)
OAuth tokens and service credentials encrypted with AES-256-GCM before database storage
Passwords hashed with PBKDF2-SHA512 (100,000 iterations) and are never stored in plaintext
Database connections require SSL certificates

🏠 Data Isolation

Each organization's data is logically isolated at the application level. All API queries are scoped to prevent cross-tenant data access.

Strict per-organization data scoping enforced on every API endpoint
Application-level access controls ensure users only see their organization's data
All database queries are parameterized to prevent SQL injection

👤 Access Controls

Role-based access control ensures users only see what they need to. Actions are logged for accountability.

Role-based access: Analyst, Auditor, Manager, Admin, and Super Admin tiers
JWT tokens with 7-day expiration and server-side validation on every request
Admin portal for user management and role assignment
Execution logs track all AI audit operations and results

🤖 AI Data Policy

We take a strict, transparent stance on how your data interacts with AI. Your financial documents are processed to generate your audit, nothing else. They are never used to train, fine-tune, or improve any AI model.

We never train AI models on your financial data. Your data stays yours
Document text is sent to AI providers only for extraction and is not retained by them
AI API calls use zero data retention settings where available (e.g., Anthropic's API)
You can delete your uploaded documents and extracted data at any time

📊 Data Retention

You control your data lifecycle. We provide delete functionality so data is removed when you request it.

Delete contracts, invoices, and audit records at any time from the dashboard
PDF content is not stored permanently. Only extracted structured data is kept
Export your data in CSV format via the dashboard

✅ Compliance Readiness

PayAudit is designed with security best practices as a foundation. Our architecture choices are informed by leading security frameworks.

SOC 2-Ready

Security-First Architecture

Built with SOC 2 Trust Services principles in mind: encryption, access control, and data isolation. Formal certification is on our roadmap.

GDPR-Aligned

Data Subject Rights

Support for data access, rectification, and erasure. We can provide data export upon request.

Audit Logging

Activity Tracking

Audit execution logs track AI operations, costs, and results for operational transparency.

📧 Vulnerability Reporting

If you discover a security vulnerability, please report it to security@payaudit.io. We take all security reports seriously and will work with you to resolve issues promptly.

We operate a responsible disclosure policy and welcome input from the security research community.

Your Documents. Protected at Every Layer.