Security

Security one-pager

Short version for security reviews. Not a certification — facts about how the system is built.

Invoice content

  • Not persisted by default — request-scoped processing, response returned, gone.
  • Request/response bodies redacted from application logs (pino redaction).
  • Optional GoBD archive (Object Lock) is roadmap; dual-track legal required before GA.

Transport & auth

  • TLS to api.normbill.com and normbill.com
  • API keys: high-entropy tokens, stored as SHA-256 hashes only
  • Dashboard: Better Auth (email/password + optional GitHub OAuth)

Infrastructure

  • API + KoSIT validator: Hetzner (Germany)
  • Metadata DB: Neon (EU Frankfurt)
  • Web/dashboard: Vercel (EU region configured)
  • Subprocessors listed in Datenschutz / AVV on normbill.com

Contact

Security reports: support@normbill.com · Operator: VIBOA UG (haftungsbeschränkt)