/Security
← HomeReport a vulnerability
Security & compliance

Your client data, protected like ours.

Bookkeeping data is sensitive: bank lines, vendor patterns, owner contact details. We treat it like medical records. Below is exactly what we do, what we don't do, and what we're still working on. No marketing claims we can't back up.

Compliance

SOC 2

Not yet certified. We plan to engage an auditor (Drata or Vanta) once we're at Team-plan scale. This badge will update with the real audit window when work begins.

GDPR / CCPA

We don't sell or share data. You can export your firm's data from Settings and delete the firm from Danger Zone, which purges every row scoped to it. Formal data-subject request workflow ships with the Team plan.

PCI DSS

We never see or store card data. Stripe handles all payment processing as a PCI Level 1 provider.

Intuit App Partner

QBO integration uses Intuit's App Partner OAuth program. We're currently in their developer sandbox; production approval is a separate Intuit review that we'll be transparent about when it lands.

Bank credentials

We never see them. Bank connections go through Plaid via OAuth. The token Ledger holds can pull transactions but cannot move money, change passwords, or read non-bank data. You can revoke it at any time from Settings → Bank connections or directly at your bank's portal.

Data at rest

Data in transit

TLS 1.2+ enforced end-to-end via Vercel's edge. HSTS is set on every response with a 1-year max-age. Outbound transactional email is signed with SPF and DKIM through Resend.

What the AI sees

The categorization model (OpenAI GPT-4o-mini, with Claude Sonnet as a configurable alternative) receives only the bank-line description, the amount, the date, and your firm's policy memory for that vendor. It never sees balances, payroll details, client contact info, or any data outside the categorization context. We use the API tier of both providers, which by their published terms does not train on API inputs by default.

Vulnerability disclosure

If you find a security issue, please email security@ledgerinbox.com. We'll acknowledge your report and work with you on a coordinated disclosure timeline. We don't run a paid bug bounty program yet — when we do, this page will say so with the published scope and payout table.

What we don't do

Subprocessors

Vendors that touch customer data. Full DPAs available on request.