Bank-grade security
Your books are safer here than in a spreadsheet.
Encryption, isolation, audit trail, and AI write-gates built in from day one. Read what we do — and what we deliberately don't do.
The nine pillars
How we keep your financial data safe
Encryption everywhere
256-bit AES at rest. TLS 1.3 in transit. Per-tenant encryption keys managed in a hardware key-management service. Receipts and bank attachments are encrypted before they land in object storage.
Read-only bank access
A trusted bank-connection layer brokers every link to your bank. We never see or store your credentials, only the read-only tokens. The connections we have can't initiate transfers or move money.
Row-level isolation
Every database query is scoped to your business via row-level security policies enforced at the Postgres layer. Row-level controls are designed to reduce cross-tenant data exposure.
AI write-gate
The AI never books a write entry without your approval (or your explicit auto-approve policy). Every proposed adjustment shows reasoning and source data before it touches the ledger.
7-year audit log
Every change to every entry — who, when, why, source. Retained 7 years by default. Exportable as an audit pack with supporting receipts on demand.
Granular roles
Owner, employee, CPA, view-only — each scoped to what they need. CPAs get a read-only portal with comment access; employees see categorized expenses but not payroll.
US-hosted, multi-region
Primary hosting in a US-East datacenter with point-in-time backups replicated to a US-West region. Recovery point objective 5 minutes; recovery time objective 1 hour.
Incident response
On-call rotation 24/7. Public status page. Customer notification within 1 hour of confirmed incident; full post-mortem within 5 business days.
Secure SDLC
Code reviewed before merge. Dependencies scanned daily. Production deploys reviewed by two engineers. Penetration test annually by third-party firm.
Compliance
Certifications, honestly stated
No vanity badges. We tell you what we have, what's in progress, and what's not on the roadmap.
Operational hygiene
The day-to-day discipline
Security isn't a quarter-end audit. It's how we operate every day.
- All employees use hardware security keys for SSO
- Production access requires two-person approval
- Customer data never copied to local machines
- Quarterly access review; least-privilege by default
- Backups encrypted with customer-specific keys
- No third-party access to your data without explicit consent
The deliberate nos
What we refuse to do
Security is also about restraint. Here are decisions we made on purpose.
We don't store your bank credentials.
A trusted bank-connection layer handles authentication. We only receive a read-only access token, never the username/password.
We don't initiate payments or money transfers.
Our bank connections are read-only. We literally cannot move money out of your account, even if compromised.
We don't sell or share your data with third parties.
No ads, no data brokers, no "anonymized aggregate insights." Your books are yours.
We don't let the AI write to your ledger without approval.
Every write — categorization, accrual, filing — runs through your approval queue. Or your explicit auto-approve policy you can revoke any time.
We don't silently change historical entries.
Once an entry is reconciled and locked, it stays. Adjustments are new entries with a clear audit trail back to the original.
Questions? Talk to security.
Send a security questionnaire, request a penetration test summary, or set up a security review call with our team.