Your trust is our priority. Learn how we protect your financial data and maintain the highest security standards in compliance with BPNG regulations.
BPNG Compliant Security
InstaInvoice implements security measures that meet or exceed Bank of Papua New Guinea (BPNG) requirements for financial data protection, ensuring your business and client information remains secure and confidential.
Our Security Commitment
At InstaInvoice, security is not an afterthought—it's built into every layer of our platform. We understand that you're trusting us with sensitive financial information, client data, and business records. That's why we've implemented a comprehensive security framework that combines:
Industry-leading encryption and data protection technologies
Strict compliance with BPNG financial services guidelines
Regular security audits and penetration testing
Continuous monitoring for threats and vulnerabilities
Employee security training and access controls
Transparent security practices and incident response procedures
Data Encryption
Encryption in Transit
TLS 1.3: Latest transport layer security protocol for all data transmission
256-bit encryption: Military-grade encryption for data in transit
Perfect forward secrecy: Protects past sessions from future compromises
Encryption at Rest
AES-256: Advanced encryption standard for stored data
Database encryption: All database records are encrypted at rest
Backup encryption: Encrypted backups stored in multiple locations
Key rotation: Regular encryption key updates for enhanced security
What this means for you: Your invoices, client information, financial records, and business data are encrypted both when transmitted over the internet and when stored in our databases. Even in the unlikely event of a breach, your data remains unreadable without the encryption keys.
Authentication and Access Control
Multi-Factor Authentication (MFA)
Enhance your account security with optional multi-factor authentication:
Time-based one-time passwords (TOTP)
SMS verification codes
Authenticator app support (Google Authenticator, Authy)
Backup codes for account recovery
Password Security
We enforce strong password requirements and best practices:
Minimum 8 characters with complexity requirements
Passwords hashed using bcrypt with high work factors
Protection against common password attacks
Secure password reset procedures with email verification
Account lockout after multiple failed login attempts
Notification of suspicious login activities
Session Management
Secure session tokens with automatic expiration
Single sign-on (SSO) support for enterprise accounts
Ability to view and revoke active sessions
Automatic logout after period of inactivity
Protection against session hijacking and fixation attacks
Role-Based Access Control (RBAC)
For Business plan users with multiple team members:
Granular permission controls for team members
Principle of least privilege enforced
Audit logs of user actions and access attempts
Ability to restrict access to sensitive financial data
Infrastructure Security
Secure Cloud Infrastructure
InstaInvoice is built on Supabase, a secure and compliant cloud platform:
Physical Security
• SOC 2 Type II certified data centers
• 24/7 security monitoring and surveillance
• Biometric access controls
• Redundant power and cooling systems
Network Security
• DDoS protection and mitigation
• Web application firewall (WAF)
• Network segmentation and isolation
• Intrusion detection and prevention systems
Database Security
Row Level Security (RLS): Data isolation ensuring users can only access their own data
SQL injection prevention: Parameterized queries and input validation
Automated backups: Daily backups with point-in-time recovery
Geographic redundancy: Data replicated across multiple regions
Database activity monitoring: Real-time monitoring of suspicious queries
Application Security
Regular security updates and patch management
Dependency scanning for vulnerable packages
Input validation and output encoding to prevent XSS attacks
CSRF protection on all forms and actions
Content Security Policy (CSP) headers
Secure coding practices and code review processes
Monitoring and Incident Response
24/7 Security Monitoring
Our security team continuously monitors for threats:
Real-time threat detection and alerting
Anomaly detection for unusual access patterns
Automated security incident classification
Log aggregation and analysis for security events
Proactive vulnerability scanning
Incident Response Protocol
In the event of a security incident, we follow a structured response process:
Detection: Automated systems and monitoring identify potential incidents
Assessment: Security team evaluates severity and impact
Containment: Immediate action to isolate and prevent spread
Investigation: Forensic analysis to determine root cause
Remediation: Fix vulnerabilities and restore normal operations
Notification: Affected users notified within 72 hours as required by law
Post-incident review: Lessons learned and improvements implemented
Audit Logging
Comprehensive logging for security and compliance:
All authentication attempts (successful and failed)
Data access and modifications
Administrative actions and configuration changes
API access and usage patterns
Export and download activities
Logs retained for 7 years per BPNG requirements
Compliance and Certifications
BPNG Compliance
InstaInvoice complies with Bank of Papua New Guinea guidelines for:
• Financial record-keeping and retention
• Transaction security and audit trails
• Data protection and privacy
• Anti-money laundering (AML) controls
• Customer due diligence procedures
PNG ICT Regulations
Full compliance with Papua New Guinea ICT Act requirements:
• Data localization and storage
• Privacy and personal information protection
• Electronic transactions and signatures
• Cybersecurity standards
• Breach notification requirements
International Standards
• ISO 27001 security framework
• OWASP Top 10 protection
• PCI DSS compliance readiness
• GDPR-inspired privacy practices
Regular Assessments
• Annual security audits by third parties
• Quarterly penetration testing
• Continuous vulnerability assessments
• Compliance reviews and certifications
Employee Security
We ensure our team maintains the highest security standards:
Hiring and Training
• Background checks for all employees
• Security awareness training for all staff
• Specialized training for security personnel
• Regular security updates and refreshers
• Phishing simulation exercises
Access Controls
• Principle of least privilege for system access
• Regular access reviews and revocations
• Mandatory use of company-managed devices
• VPN required for remote access
• Immediate access revocation upon termination
Your Security Responsibilities
Security is a shared responsibility. Help us protect your account by:
Use strong, unique passwords and enable multi-factor authentication
Never share your login credentials with anyone, including support staff
Log out when using shared or public computers
Be cautious of phishing emails claiming to be from InstaInvoice
Keep your devices and software updated with latest security patches
Review your account activity regularly for unauthorized access
Report suspicious activity immediately to our security team
Reporting Security Issues
If you discover a security vulnerability or have concerns about the security of InstaInvoice, please report it to us immediately.
Responsible Disclosure
We appreciate security researchers who help us maintain a secure platform. If you've found a vulnerability, please:
We are committed to maintaining the security and confidentiality of your financial data. Security is not a one-time effort—it's an ongoing commitment that we take seriously every single day. Your trust is our most valuable asset, and we work tirelessly to protect it.
This Security document is continuously updated to reflect our latest security practices and measures.