numırıo
Legal

Security overview

How we protect your invoices, your clients' data, and your account. Honest about what we do — and what we don't yet do.

Hosting and data residency

Numirio runs on Railway. The application, Postgres database, and PDF object storage live in Railway's EU region by default. We don't operate physical infrastructure ourselves; Railway handles datacenter security, redundancy, and patching.

Encryption

  • In transit — every connection between you, our API, and our subprocessors uses TLS 1.2 or higher.
  • At rest — Postgres volumes and bucket storage are encrypted by Railway using AES-256.
  • Secrets — credentials and API keys are kept in Railway's environment store, not in source control.

Authentication

  • Email + password sign-in. Passwords are hashed with bcrypt and we never see them in plaintext.
  • "Sign in with Google" using OpenID Connect. We don't receive your Google password — just a stable identifier and your email.
  • Magic-link sign-in for password resets. Links are single-use and expire after 15 minutes.
  • Sessions are tied to short-lived access tokens with rotating refresh tokens.

Access control

Each workspace is isolated. Today a workspace has a single owner; the role model — Owner, Admin, Member, Accountant, with permissions scoped accordingly — is built in for upcoming team plans. Internally, only a small number of engineers can access production data, only when needed to debug a specific issue, and access is logged.

Backups

Postgres is backed up daily with 30 days of point-in-time recovery. We test restore procedures regularly. Object storage (your PDFs) is versioned.

Subprocessors

The same set as our privacy notice: Railway for hosting and storage, Paddle for billing, Google for optional sign-in, Resend for transactional email. Each has its own security posture documented publicly.

Responsible disclosure

Found a vulnerability? Email contact@numirio.com with the details — proof-of-concept, impact, reproduction steps. We aim to respond within three business days and to ship a fix within 90 days of confirming the issue, faster for high-severity findings. We don't run a paid bounty programme yet, but we publicly acknowledge researchers who report responsibly.

What we don't (yet) do

Being honest: Numirio is a small operation and we don't yet hold SOC 2 or ISO 27001 certifications. We don't run an external pen-test on a fixed cadence. Both are on the post-MVP roadmap. If you have a procurement question and these matter, email us and we'll tell you exactly where we are.

Contact

Security questions, vulnerability reports, and procurement diligence all go to contact@numirio.com.