Security & Privacy

Sign-in, passwords, sessions, and billing are handled entirely by Clerk, a dedicated authentication platform used by thousands of companies. FASPIT never stores or touches your password or payment details.

• Passwords are never stored in FASPIT's database
• Short-lived login sessions expire automatically
• Multi-factor authentication (MFA) is supported
• Social login (Google, etc.) available — no new password required
• Bot protection and brute-force attack detection are built into the sign-in flow — repeated failed attempts are automatically blocked
• Signing in with a password on an unrecognised device automatically requires an additional verification step (a one-time code sent to your email or phone) — even if you haven't set up MFA. This means a stolen password alone is not enough to access your account from a new machine
• User enumeration is prevented — the sign-in flow never reveals whether an email address exists in our system, protecting your account from targeted attacks

All your clients, projects, tasks, time entries, and invoices live in a Supabase PostgreSQL database — the same infrastructure trusted by major enterprises and government bodies.

• Every piece of data is locked to your organization — no cross-account data access is architecturally possible
• Data is encrypted at rest and in transit
• Database-level access rules (Row-Level Security) mean that even a software bug cannot expose another customer's data
• Changes to your data sync across all your devices and browser tabs in real time — so what you see is always current, and nothing gets out of date silently in the background

FASPIT's frontend and middleware runs on Vercel, a cloud platform used by many large companies like Netflix, PayPal, Stripe, GitHub, and many more. You can see a full list here.

• All traffic is encrypted with HTTPS — no exceptions
• DDoS and bot protection are built in at the network level — malicious automated traffic is filtered before it reaches the application
• The app is served from a global network of data centers so it's fast and resilient
• Rate limiting is enforced on every API endpoint using a distributed Redis layer. Read and write operations are capped — mitigating automated abuse or bulk scraping attacks
• Every request is validated before touching the database. FASPIT uses strict schema validation (via Zod) on all incoming data. Only fields that are explicitly expected are accepted — unexpected fields are rejected outright, values are checked against exact types and allowed options, and all identifiers are validated as properly-formatted IDs. This prevents a wide class of injection and data-corruption attacks at the API boundary, before any database query is made

When an invoice is marked as sent or paid, a permanent snapshot of every line item — rates, hours, descriptions, and totals — is saved at that moment. If you later delete the client or project that the invoice was billed against, the invoice record itself remains intact and accurate. Your financial history is never retroactively altered.

Note: If you delete your account or organization, all data associated with it — including invoices — is removed from our systems.

• We do not sell your data to third parties
• We do not use your client or invoice data for advertising or analytics
• You can export your data at any time
• Deleting your account removes your data from our systems