PayNext Security & Privacy

PayNext is an internal-use invoicing tool. Public sign-up is disabled and access is restricted to a small, explicitly allowlisted set of administrator email addresses. Sessions are managed by our authentication provider; leaked-password checks (HIBP) are enabled.

We store the company, client, invoice, payment, VAT, and email-delivery data that administrators enter into the app, plus uploaded company logos. We do not collect telemetry about invoice recipients beyond what is required to deliver their invoice email.

Application data is stored in a managed Postgres database with row-level security policies that scope every row to the administrator who created it. Uploaded files live in a private object-storage bucket; access is gated by signed URLs and storage policies restricted to the owning administrator.

Data is encrypted in transit using TLS between the browser, the application, the database, and our outbound SMTP provider. Database storage and managed backups are encrypted at rest by the platform provider.

Invoice emails are sent using SMTP credentials configured by the administrator in the app. The credentials are stored in the administrator's company-settings record and are only readable by that administrator under row-level security.

We rely on our hosting and managed-database provider for application hosting, database, authentication, and storage. Outbound email is delivered through the SMTP relay each administrator configures themselves.

Invoice, client, and audit-log data is retained for as long as the administrator keeps the corresponding records in the app. Administrators can delete records they own at any time from within PayNext.

Sensitive administrator actions are recorded in an append-only audit log. Audit entries are scoped to the acting administrator and protected by row-level security and JWT-bound insert checks.

If you believe you have found a security issue in PayNext, please contact thePayNext team directly. We will acknowledge your report and work with you on coordinated disclosure.