How we handle your data
We take the security of our customers' and their clients' sensitive data very seriously. This page explains our security program and operational posture.
Customer Data Residency
Your clients’ financial data and credentials are stored in the region consistent with your clients’ U.S.-based operations.
Data in transit and at rest
We serve HSTS headers and participates in the HSTS preload list used by major browser vendors. Our application does not accept plain TCP connections or TLS connections below version 1.2, and achieves an A+ rating from the Qualys SSL Labs toolbox. Data is encrypted at rest and in transit.
Access controls
Because of the way our application interacts with customer systems, including legacy systems that don’t support modern delegated authentication methods, we hold a variety of credentials in different forms. We have a policy of only accepting and storing your clients’ credentials that are limited in nature. In particular, our policy is to not accept credentials from your clients that have the ability to move money in or out of your clients’ bank accounts.
All of your clients’ credentials are stored encrypted at rest and in transit. Access to your clients’ credentials in our application is gated by a role-based access control system to ensure that only those users with a confirmed business need may access them. Any access via our application is logged.
Authentication
Our internal systems authenticate via Single Sign-On (SSO) with enforced mandatory Multifactor Authentication (MFA) and limited session lengths.
Customer credentials for our application are hashed and salted before storage. Users may reset their password via a secure tokenized link sent to the email address on file. Login attempts are rate-limited. All authentication requests and actions are logged.
Infrastructure
Our primary relational database is encrypted at rest and is not used to store any information considered an application secret. It is regularly backed up, and we have a data restoration plan that has been tested in production.
Security review
We have undergone third-party security reviews of our application, deployment practices, infrastructure security and configuration, and corporate security practices. By policy, high-severity findings are prioritized.
We have a policy of requiring security-specialist review of any code changes affecting authentication or authorization models. This is in addition to standard code review and continuous integration test suite requirements.
Incident response
We have and follow a written process for managing security incidents, including incidents related to vulnerabilities with no evidence of active exploitation.
A note on bookkeeping data
Our bookkeeping services run on QuickBooks Online (QBO), a third-party application by Intuit. Intuit is responsible for the security and availability of QBO.