Security
Security one-pager
Short version for security reviews. Not a certification — facts about how the system is built.
Invoice content
- Not persisted by default — request-scoped processing, response returned, gone.
- Request/response bodies redacted from application logs (pino redaction).
- Optional GoBD archive (Object Lock) is roadmap; dual-track legal required before GA.
Transport & auth
- TLS to api.normbill.com and normbill.com
- API keys: high-entropy tokens, stored as SHA-256 hashes only
- Dashboard: Better Auth (email/password + optional GitHub OAuth)
Infrastructure
- API + KoSIT validator: Hetzner (Germany)
- Metadata DB: Neon (EU Frankfurt)
- Web/dashboard: Vercel (EU region configured)
- Subprocessors listed in Datenschutz / AVV on normbill.com
Contact
Security reports: support@normbill.com · Operator: VIBOA UG (haftungsbeschränkt)