Security overview
Your accounts payable data is sensitive. It includes vendor banking, financial amounts, and internal approval workflows. This page covers how Mod AI protects it.
Your data stays yours
Your data is never used to improve the AI, never shared with other customers, and never used for any purpose beyond processing your invoices. Each organization's data is fully isolated. There is no way for one customer to access another's.
The AI processes invoices in real time and does not retain your data for any kind of model training.
Encryption
All data in Mod AI is encrypted at every stage.
- In transit. All data moving between your browser and Mod AI uses HTTPS. The same applies to email forwarding and integration traffic.
- At rest. All stored data is protected with enterprise-grade encryption, including invoices, extracted data, vendor records, and the activity log.
Data isolation
Every organization's data is fully separated. Invoices, vendor records, and financial data are isolated at every layer (database, application, infrastructure). There is no path for accidental or intentional cross-organization access.
User permissions
Five built-in entity roles control what each user can see and do.
| Role | Access |
|---|---|
| Administrator | Full access to features and settings. |
| Controller | Approves at any tier, holds, cancels, exports, oversees AP operations. |
| AP Specialist | Uploads, reviews, edits, approves, and rejects invoices. Cannot manage settings or users. |
| Approver | Reviews and approves or rejects routed documents. |
| Auditor | Read-only access to all data. |
For granular control, custom roles can be created with specific permission sets. See Roles and Permissions.
Every action is checked against the user's permissions. UI elements and pages are gated client-side, and the same checks run server-side. Users do not see buttons or pages for actions they do not have access to.
For the full breakdown of what each role can do, see User Roles.
Infrastructure
Mod AI runs on secure cloud infrastructure with:
- Network-level isolation behind multiple layers of access controls.
- Automatic encrypted backups.
- Built-in disaster recovery with redundant systems.
- 24/7 monitoring for anomalies and threats.
Fraud-detection controls
The platform includes a few specific controls that help catch payment fraud and AP error before it costs you money.
- Duplicate invoice detection. The system flags likely duplicate invoices based on vendor and invoice number. See Duplicate Invoice notice.
- Duplicate credit memo detection. Same, for credit memos. See Duplicate Credit Memo notice.
- Three-way match validation. The line-item three-way match rule catches cases where invoice quantity or price diverges from the PO and receipt. See Validation Rules.
- Price change detection (where the integration supports it). Significant unit-price deviations against the last approved invoice for the same vendor and item surface a Price Change Detected notice.
- Approval policies. Policies enforce your authorization rules automatically. Even if a fraudster slipped a fake invoice past validation, it still has to clear your approval chain.
- Audit log. Every action on every invoice is recorded. If something looks wrong after the fact, you can trace exactly who did what and when.
Audit trail
Every action in the platform is logged: who did what, when, and to which document. The activity log captures:
- Invoice creation, edits, and status changes.
- Approval actions (approve, reject, delegate, override).
- Validation runs and rule severity changes.
- User management changes.
- Settings changes.
- Login events.
The activity log is immutable. Auditors with the Auditor role have read access to the complete trail for any document or user.
Reporting a security concern
If you spot something that looks like a security issue (a vulnerability, a suspicious notice, an unexpected access), email support@usemod.ai. The team triages security reports as the highest priority.