What actually protects your data.

HourSlip holds sensitive financial data on behalf of Indian freelancers: GSTIN numbers, PAN numbers, UPI IDs, bank account details, and complete invoice histories. We take this responsibility seriously. This page describes what we actually do to protect your data — no fabricated badges, no marketing language.

We do not claim ISO 27001, SOC 2, PCI-DSS, or any other third-party certification. The protections described here are our genuine implemented practices, verifiable in our codebase.

Your most sensitive financial identifiers are encrypted at the application layer before they ever reach the database:

• GSTIN (Goods and Services Tax Identification Number)
• PAN (Permanent Account Number)
• UPI ID
• Bank account number

The encryption algorithm is AES-256-GCM (256-bit key, Galois/Counter Mode with authentication tag). Each value is encrypted with a unique random initialisation vector (IV) to ensure that identical values produce different ciphertext. An authentication tag verifies integrity on decryption — tampered values are rejected, not silently returned as garbage.

Encryption keys are stored as environment variables, never in the database or source code. The key envelope is versioned, which means we can rotate keys without downtime: the old key decrypts historical rows while the new key encrypts all writes, then a background job re-encrypts old rows under the new key before the old key is retired.

General operational data — time entries, invoice amounts, client names, email addresses — is stored in the database with Row Level Security isolation (see below) but is not field-level encrypted. We are transparent about this distinction.

All communication between your browser and HourSlip is encrypted using TLS (Transport Layer Security), enforced by Vercel's edge infrastructure. There is no unencrypted HTTP path to any part of the application.

Every database table in HourSlip has Row Level Security (RLS) enabled via Supabase (PostgreSQL). RLS is a database-enforced policy — it operates inside the database engine, not just at the application layer.

What this means for you: even if there were a bug in our application code, the database itself would refuse to return another user's rows. Your data is structurally isolated from every other HourSlip user. We cannot query your data from the Supabase dashboard without explicitly bypassing RLS with the service role key, which is never used in client-facing code.

Your primary data is stored in ap-south-1 (Mumbai, India) via Supabase. This is the database where all your invoices, clients, time entries, and encrypted financial identifiers live.

Some infrastructure components process data outside India — see our International Data Transfers section for the complete disclosure. In short: email delivery (Resend), rate limiting (Upstash), and web traffic (Vercel edge) involve US or EU infrastructure, but your financial records are stored in India.

Subscription payments and invoice collection payments are processed by Razorpay, a Reserve Bank of India-regulated Payment Aggregator. HourSlip never sees or stores your credit/debit card numbers — card data goes directly to Razorpay's PCI-DSS compliant vault.

The only payment details stored by HourSlip are: Razorpay order IDs (to track payment status) and UPI IDs / bank account details for invoice payment display (these are field-level encrypted as described above).

• Supabase Auth handles authentication. Passwords are never stored in plaintext — Supabase uses bcrypt hashing.
• Email OTP login is available as a password-free alternative.
• OAuth via Google or GitHub — we store only the email and display name returned by the OAuth provider, not your OAuth token.
• Rate limiting is applied to authentication and API endpoints via Upstash Redis to prevent brute-force and denial-of-service attempts.
• Session cookies use HttpOnly and Secure flags, managed by Supabase's SSR client.

• Supabase (PostgreSQL) — Mumbai region, managed by Supabase Inc. Supabase's compliance posture is available at supabase.com/security.
• Vercel — serverless hosting and edge delivery. Vercel's security overview is at vercel.com/security.

In the event of a personal data breach affecting your data, we will notify you as soon as practicable and report to relevant Indian authorities as required by applicable law, including the Digital Personal Data Protection Act 2023. If you discover a potential security vulnerability, please report it responsibly to [email protected].

For security questions or to report a vulnerability, email [email protected]. For privacy and data-related requests, see our Privacy Policy.