Security at Wovexa

Your financial data is sensitive. We treat it that way. Wovexa is built with encryption, isolation, and auditability at every layer — not as an afterthought, but as the foundation.

Encryption everywhere

All data is encrypted with AES-256 at rest and TLS 1.3 in transit. Database connections use encrypted channels. File storage on Cloudflare R2 is encrypted by default.

Tenant isolation

Row-level security (RLS) enforces strict data isolation at the database layer. Every query is scoped to the authenticated organization. No tenant can access another tenant's data, even in the event of an application-level bug.

Access controls

Role-based access with four permission levels: Admin, AP Manager, Approver, and Viewer. Authentication is handled by Clerk with support for SSO and multi-factor authentication.

Audit logging

Every review action, field edit, approval, and status change is recorded in an immutable audit log with actor, timestamp, and before/after state. Exportable for compliance reviews.

Secure file handling

Uploaded invoices are stored in Cloudflare R2 with presigned URLs that expire after 5 minutes. Files are never served directly — access is always authenticated and time-limited.

Infrastructure

Hosted on Railway (API) and Vercel (frontend) with managed PostgreSQL. Both platforms provide automatic security patches, DDoS protection, and SOC 2 compliant infrastructure.

Compliance checklist

6 of 10 items complete. Certification milestones are in progress.

AES-256 encryption at rest

TLS 1.3 encryption in transit

Row-level security (tenant isolation)

Immutable audit logging

Role-based access controls

Presigned URL file access (5 min TTL)

SOC 2 Type II certificationPlanned

ISO 27001 certificationPlanned

Penetration testing (annual)Planned

GDPR data processing agreementPlanned

Questions about security?

We're happy to walk through our security practices, share documentation, or discuss your specific requirements.

Contact security team