Security

Security at invico

Last updated April 27, 2026

The security of your data — quotes, site photos, customer information — is our top priority. Here are the technical and organisational measures we apply.

1. Our approach

invico applies defence in depth: multiple independent security layers protect your data, so a single weakness cannot compromise the whole.

We follow recommendations from ANSSI and NIST, and we are working towards alignment with the ISO 27001 standard.

2. Hosting and infrastructure

Primary hosting in Europe (Paris & Frankfurt)
Vercel CDN for static assets only
Fully managed infrastructure with automatic security updates
Network isolation: databases not exposed to the public internet

3. Encryption

In transit: TLS 1.2+ enforced on all connections, HSTS enabled
At rest: AES-256 encryption on databases and object storage
Keys managed in a dedicated vault with regular rotation
Passwords stored with bcrypt (high cost factor)

4. Authentication and access

Multi-factor authentication (MFA) available on all accounts
Strong password policy (minimum length, lockout after failures)
Time-limited session tokens, revocable at any time
SSO authentication available on the Business plan
Employee access strictly controlled (least privilege principle, audit log)

5. Backups and continuity

Encrypted automatic backups every hour
30-day rolling retention plus monthly snapshots
Restoration tested monthly
Target RPO: 1 hour / Target RTO: 4 hours

6. Monitoring and logging

Centralised logging of access, changes and security events
Anomaly detection (error rates, suspicious access attempts, unusual patterns)
24/7 alerting to the on-call team
Logs retained for 12 months

7. Development practices

Mandatory code review before every production deployment
Automated tests (unit, integration, end-to-end)
Static analysis (SAST) and software composition analysis (SCA) on every commit
Continuous dependency monitoring (Dependabot, Snyk)
Separated environments (dev / staging / production), no production data in dev

8. Responsible disclosure

Found a security issue? Thank you! Email us at security@invico.pro with:

A precise description of the issue
Steps to reproduce it
Your assessment of the potential impact

We commit to:

Acknowledge receipt within 48 hours
Keep you informed throughout the investigation
Not pursue legal action if you act in good faith (no data exfiltration, no public disclosure before fix)
Publicly thank you (with your consent) in our release notes

9. Incident notification

In case of a data breach affecting your personal data, we commit to:

Notify the CNIL (French DPA) within 72 hours
Inform you without delay if the breach poses a high risk to your rights and freedoms
Publish a public post-mortem for major incidents

10. Subprocessor security

We assess the security of each of our subprocessors (host, payment provider, AI vendors) before signing. All are bound by contractual commitments compliant with Article 28 of the GDPR.

An up-to-date list is available on the Privacy page.

For any question or report: security@invico.pro (or tomwallyntel@gmail.com if the alias is not yet active).

← Back to home