Company

The most secure server is the one that doesn't have your data.

Security pages usually list certifications. Ours starts with architecture, because that's where most of the protection actually comes from.

No accounts, no passwords, no honeypot

Bizvo has no customer logins. There's no password database to breach, and no central store of everyone's invoices to steal. Your data lives on your device; a breach of our infrastructure can't expose invoice data we never had.

Payments are Stripe's job, on purpose

Card details — yours when you buy the app, your clients' when they pay an invoice — go directly to Stripe, a PCI-certified payment processor used by millions of businesses. They never touch Bizvo's servers, and we couldn't log them if we wanted to: our payment functions are stateless, keep secrets only in server-side environment variables, and are deliberately built to log nothing.

The boring, standard protections are all on

Everything is served over HTTPS with HSTS. The app ships a strict Content Security Policy (no inline scripts). The endpoints that create payment objects are rate-limited. Dependencies are monitored for known vulnerabilities.

Cloud backups — an honest tradeoff

Optional backups use the narrowest permissions Google and Dropbox offer, and your Bizvo access tokens are never included in backup files. The tradeoff we disclose rather than hide: backup files themselves are not yet encrypted before upload — they're protected by your own cloud account's security. Client-side encryption is on the roadmap.

Found a vulnerability?

We take reports seriously and respond personally. Email security@bizvo.co with details and reproduction steps if you have them.