Security at EntryRocket

EntryRocket runs on Heroku's cloud platform, which gives us solid infrastructure security out of the box:

• SOC 2 Type II certified hosting environment
• Automated daily backups with point-in-time recovery
• Automatic security patches and platform updates
• Network isolation between applications
• Infrastructure-level DDoS mitigation provided by the hosting platform

All data is encrypted both in transit and at rest:

• TLS 1.2+ encryption for all connections to our servers
• AES-256 encryption for data stored in our database
• Email processing supports TLS encryption
• HTTPS only - we enforce secure connections on all endpoints

We connect to Xero using OAuth 2.0 — the same standard used by all major services:

• OAuth 2.0 authentication - we never see or store your Xero password
• Scoped permissions - we only request access required to process your documents
• Token-based access with automatic refresh and secure storage
• Revoke anytime - disconnect EntryRocket from your Xero account instantly

We're a verified Xero App Partner — our integration has been reviewed and approved by Xero's team.

We keep your account locked down:

• Secure password hashing using bcrypt with strong salt
• Session management with automatic timeout and secure cookies
• Email verification for all new accounts
• Organization-level isolation - your data is completely separate from other customers

All payments are processed securely through Paddle, our Merchant of Record:

• PCI DSS Level 1 compliant payment processing
• We never store your credit card details - Paddle handles all payment data
• Paddle's secure checkout includes fraud detection and prevention

It's your data — you're in control:

• Minimal data retention - we only keep what's necessary for the service
• No data selling - we never sell or share your data with third parties
• Data inquiries - contact us about any data we hold about you
• Account deletion - request removal of your account and associated data

We follow security best practices in how we build the application:

• CSRF protection on all forms and state-changing requests
• SQL injection prevention using parameterized queries
• XSS protection with automatic output escaping
• Security scanning tools for code analysis and dependency vulnerability detection

We monitor the platform to keep things running smoothly:

• 24/7 uptime monitoring with automated alerting
• Error tracking for issue detection and resolution
• Server logging for operational oversight and troubleshooting