Security you can trust

What we do (and don't do)

This separation of duties is intentional. It reduces risk for you and simplifies compliance.

Single-use approval links

Approvers receive an email with a one-tap Approve or Reject button. The link is:

• Time-limited — expires after 24 hours (default)
• Single-use — can only be used once, then it's burned
• Cryptographically signed — tamper-resistant tokens

Bank-change protection (two-person rule)

A common fraud pattern: a "vendor" emails new bank details. The business pays—to the wrong account.

PayGuard detects when vendor bank details differ from the last approved request:

• Shows a clear "Bank details changed" warning
• Can require two approvals (recommended default)

We recommend verifying bank changes with the vendor via phone before approving.

Audit trail & tamper-evident receipts

Every action is logged: request created, approval sent, approved/rejected, receipt generated.

When approved, we generate a PDF receipt containing:

• • Vendor, amount, due date, purpose
• • Who approved (name/email)
• • Timestamps for each approval
• • Bank-change warning (if applicable)
• • SHA-256 hash stored in the database

The hash allows anyone to verify the PDF hasn't been silently changed.

Role-based access

Users can only do what their role allows:

Data storage & encryption

• HTTPS/TLS for all traffic
• Encrypted secrets stored in environment variables
• Managed database with automatic backups
• No bank login credentials stored anywhere