Security & Privacy
You're trusting us with client data, contracts, invoices, and financial records. We take that seriously. Here's how we protect it.
Encrypted everywhere
All connections to Illusly are encrypted with TLS. Every page, every API call, every file download — the app, the client portal, and every public share link. No exceptions.
Data at rest — your database records, files, and attachments — is encrypted using AES-256. Your data is protected whether it's moving or sitting still.
Workspace isolation
Every workspace is isolated at the database level. Row-level security policies ensure that one workspace can never access another's data — not through the app, not through the API, not through a bug. It's enforced by the database itself.
Environments are separated too. Development, staging, and production run on independent infrastructure with no shared data.
Authentication & access control
Two-factor authentication
Available on all plans. Works with Google Authenticator, Authy, or any TOTP app.
Role-based permissions
Six built-in roles plus custom roles on Premium. Control exactly who can see, edit, or delete across every feature.
Team-level data scoping
Restrict members to only see their team's clients, projects, and deals. Not just hidden in the UI — enforced at the data layer.
Session management
View active sessions and revoke any of them. Password changes invalidate all existing sessions.
Client access & shared documents
The client portal uses passwordless authentication — clients verify with their email, no password to manage or forget. Each session is scoped to a single client and workspace.
Shared links for invoices, proposals, contracts, and forms use unique tokens that can be revoked at any time. E-signatures record the signer's name, timestamp, and IP address for a clear audit trail.
Your data belongs to you
We don't sell your data, use it for advertising, or train models with it. It exists to serve your business — nothing else.
Export anytime. Clients, invoices, contacts, documents, and time logs can be exported from Settings on any plan, including Free. Your data is never locked in.
Cancellation. If you cancel, your data stays accessible for 30 days. We send reminders before anything is removed.
Deletion. Request full account and data deletion at any time by contacting support@illusly.com. We process requests within 7 business days.
Privacy
We collect what we need to run the product and nothing more. No tracking pixels on your invoices. No behavioral profiling. No selling data to third parties.
Payments are processed by Paddle. We never see or store your card details — that's handled entirely by the payment processor in compliance with PCI DSS.
Calendar and email integrations use standard OAuth 2.0 with minimal scopes. We only request access to what you explicitly enable, and you can disconnect at any time.
For the full details, see our Privacy Policy and Terms of Service.
Have a security concern?
If you've found a vulnerability, have a compliance question, or need information for your own security review — reach out at support@illusly.com. We respond within one business day.
See if it fits.
Free plan. No credit card. Takes a minute.