T TradesBill

TradesBill

Security

How TradesBill protects tenant data, backend secrets, invoice records, and admin access.

Security Model

TradesBill separates the mobile app, backend API, admin portal, and server-side secrets. Mobile builds send tenant identifiers and API keys, while OpenAI, SMTP, database, and payment provider secrets stay on the backend.

Tenant Controls

  • Tenant API keys are hashed in the database.
  • Invoice writes are scoped to the authenticated tenant.
  • Tenant branding and tax defaults are managed through the admin portal.

Admin Controls

  • Admin access uses server-side PHP sessions.
  • Admin forms use CSRF tokens.
  • Admin users are stored with password hashes, not plain text passwords.

Operational Controls

  • API endpoints use tenant authentication headers.
  • Basic rate limiting is enabled on backend requests.
  • Email delivery has queue and retry controls.
  • Production deployments should use HTTPS, restricted CORS origins, secure backups, and server monitoring.

Responsible Disclosure

If you believe you have found a security issue, contact us through the contact page and include enough detail to reproduce the issue safely.