mozey
Security at mozey
Last updated: March 30, 2026
At mozey, we understand that you're trusting us with sensitive financial information, client details, and contracts. We take this responsibility seriously and implement industry-leading security measures to protect your data.
1. Encryption
All data is encrypted both in transit and at rest:
- In Transit: All communications between your browser and our servers are encrypted using TLS 1.3 (Transport Layer Security).
- At Rest: Your receipt images, invoices, contracts, and extracted data are encrypted using AES-256 encryption in our database and storage systems.
- Passwords: User passwords are hashed using bcrypt with salt, ensuring they cannot be reversed or decrypted.
- Document Encryption: Signed contracts and confidential documents are encrypted at rest and during transmission.
2. Invoice & Contract Data Security
Your invoices and contracts are protected with bank-level security:
- Encrypted Storage: All invoices, contracts, and quotes are stored using AES-256 encryption at rest.
- Invoice Data Protection: Client names, email addresses, line items, amounts, payment methods, and payment status are encrypted and accessible only to the invoice owner.
- Secure Document Sharing: When you share an invoice, contract, or quote link with clients, we use unique, cryptographically secure tokens that are time-limited and cannot be guessed or reused. Each token grants access only to the intended document.
- Document Access Control: Client-facing pages display only the specific document shared, with no access to account data, other invoices, contracts, or client lists.
- E-Signature Security: Digital signatures use industry-standard cryptographic hash verification and timestamping to ensure authenticity and non-repudiation. Signature data includes: signer name, email, IP address at time of signing, exact timestamp, and cryptographic proof of identity.
- Signature Verification: E-signatures include embedded verification metadata that can be independently verified to prove the document was signed by the intended party at the stated time.
- Client Data Isolation: Each freelancer account and client relationship is logically separated at the database level. Your clients cannot see other clients' data, invoices, contracts, payment records, or contact information.
- Payment Method Display Security: Payment method information displayed on invoices (Stripe, PayPal, Zelle, etc.) is shown to clients only on their intended invoices and does not expose payment processing details.
- No Data Sharing: Client information is never shared with third parties for marketing or other purposes.
3. AI & Document Security
Your receipt, contract, and invoice data is handled with the highest level of security during AI processing:
- AI Provider: We use Anthropic Claude for all AI processing, which has industry-leading security and privacy standards (not OpenAI).
- Encrypted Transmission: All documents are transmitted to AI services using TLS 1.3 encryption.
- Encrypted Storage: All receipts, invoices, and contracts are stored using AES-256 encryption at rest.
- No Data Training: Your documents and data are NOT used for AI model training.
- US-Based Processing: AI processing occurs on US-based servers.
- Real-Time Processing: AI providers process data in real-time and do not retain your documents after processing.
Your document and financial data is only used to provide the Service and is never shared with third parties for advertising, marketing, or training purposes.
4. Infrastructure Security
We use trusted, enterprise-grade infrastructure providers:
| Component | Provider | Security Standard |
|---|---|---|
| Database | Supabase (AWS) | SOC 2 Type II |
| Hosting | Vercel | SOC 2 Type II |
| Billing | Stripe | PCI DSS compliant |
| Auth | Supabase Auth | OAuth 2.0 |
| AI Processing | Anthropic Claude | SOC 2 Type II |
| Document Storage | AWS S3 | Encrypted buckets, access logs |
- Cloud Hosting: Our application is hosted on Vercel with automatic DDoS protection and global CDN.
- Database: We use Supabase (built on AWS) with automated backups, point-in-time recovery, and row-level security.
- File Storage: Invoices, contracts, and receipt images are stored in isolated, encrypted storage buckets with strict access controls.
5. Authentication & Access Control
- Secure Authentication: We support email/password, Google OAuth, and GitHub OAuth for secure sign-in.
- Session Management: Sessions are securely managed with automatic expiration and secure cookie handling.
- Row-Level Security: Database policies ensure users can only access their own data, invoices, clients, and contracts — no exceptions.
- Client Access Control: You control exactly which clients can see which invoices and contracts.
- API Security: All API endpoints are authenticated and rate-limited to prevent abuse.
6. Payment Security
- PCI Compliance: All payment processing is handled by Stripe, which is PCI DSS compliant.
- No Card Storage: We never store your full credit card numbers on our servers.
- Secure Checkout: All payment pages are served over HTTPS with additional fraud prevention measures.
- Payment Method Display: Your payment methods (Stripe, PayPal, Zelle, bank transfer) are securely displayed on invoices to clients without storing sensitive details.
7. What We Never Do
- We never sell your personal data, financial information, or client details to third parties
- We never use your invoices, contracts, or receipt data for AI model training
- We never access your financial data without your permission
- We never store credit card numbers on our servers
- We never send your data to the IRS directly
- We never share client information with other users or third parties
8. Data Privacy
- Data Isolation: Each user's data is logically separated and inaccessible to other users.
- Client Isolation: Your client data is never shared with or visible to other freelancers using mozey.
- No Data Selling: We never sell your personal information, financial data, or client details to third parties.
- Minimal Access: Only essential personnel have access to production systems, and all access is logged.
9. Backup & Recovery
- Automated Backups: Your data is automatically backed up daily with point-in-time recovery capability.
- Geographic Redundancy: Backups are stored in multiple geographic locations to ensure data durability.
- Disaster Recovery: We have documented procedures to restore service quickly in case of any incident.
10. Security Monitoring
- 24/7 Monitoring: Our infrastructure is continuously monitored for security threats and anomalies.
- Logging: All system access and API calls are logged and retained for security analysis.
- Incident Response: We have established procedures to respond to and communicate about any security incidents.
11. Your Security Responsibilities
To help keep your account secure, we recommend:
- Use a strong, unique password for your mozey account
- Don't share your login credentials with others
- Log out when using shared or public computers
- Keep your browser and devices updated with the latest security patches
- Report any suspicious activity to us immediately
12. Vulnerability Disclosure
If you discover a security vulnerability, we encourage responsible disclosure. To report a security issue:
Email: hello@mozey.co
Subject Line: [SECURITY] Brief description of the issue
- We will acknowledge your report within 48 hours
- We will provide a detailed response within 7 business days
- We will not take legal action against good-faith security researchers
13. Data Breach Notification Policy
In the event of a data breach:
- Affected users will be notified within 72 hours of discovering the breach (CCPA requirement)
- Notification will include details about what data was affected and steps being taken
- We will provide guidance on actions you can take to protect yourself
- Relevant regulatory authorities will be notified as required by law
14. Questions?
If you have any questions about our security practices, please don't hesitate to reach out:
Email: hello@mozey.co
Website: https://mozey.co