Your client data, protected like ours.
Bookkeeping data is sensitive: bank lines, vendor patterns, owner contact details. We treat it like medical records. Below is exactly what we do, what we don't do, and what we're still working on. No marketing claims we can't back up.
Compliance
SOC 2
Not yet certified. We plan to engage an auditor (Drata or Vanta) once we're at Team-plan scale. This badge will update with the real audit window when work begins.
GDPR / CCPA
We don't sell or share data. You can export your firm's data from Settings and delete the firm from Danger Zone, which purges every row scoped to it. Formal data-subject request workflow ships with the Team plan.
PCI DSS
We never see or store card data. Stripe handles all payment processing as a PCI Level 1 provider.
Intuit App Partner
QBO integration uses Intuit's App Partner OAuth program. We're currently in their developer sandbox; production approval is a separate Intuit review that we'll be transparent about when it lands.
Bank credentials
We never see them. Bank connections go through Plaid via OAuth. The token Ledger holds can pull transactions but cannot move money, change passwords, or read non-bank data. You can revoke it at any time from Settings → Bank connections or directly at your bank's portal.
Data at rest
- All customer data is stored in Postgres on Supabase (AWS us-east-1), encrypted at the volume level with AES-256.
- Per-firm row-level security in the database — every query is scoped to the caller's firm at the DB level, not just in application code, so a bug in our app can't leak rows across firms.
- Third-party API tokens (QuickBooks Online, etc.) are additionally encrypted at the column level with AES-256-GCM before being written to the database.
- Backups are encrypted by Supabase. Daily point-in-time recovery retention follows our hosting tier; firm deletion purges every row scoped to that firm.
Data in transit
TLS 1.2+ enforced end-to-end via Vercel's edge. HSTS is set on every response with a 1-year max-age. Outbound transactional email is signed with SPF and DKIM through Resend.
What the AI sees
The categorization model (OpenAI GPT-4o-mini, with Claude Sonnet as a configurable alternative) receives only the bank-line description, the amount, the date, and your firm's policy memory for that vendor. It never sees balances, payroll details, client contact info, or any data outside the categorization context. We use the API tier of both providers, which by their published terms does not train on API inputs by default.
Vulnerability disclosure
If you find a security issue, please email security@ledgerinbox.com. We'll acknowledge your report and work with you on a coordinated disclosure timeline. We don't run a paid bug bounty program yet — when we do, this page will say so with the published scope and payout table.
What we don't do
- Sell, share, or analyze customer data for any purpose other than running the service.
- Train AI models on customer data.
- Send marketing emails to your clients without your explicit consent.
- Allow Ledger staff to read your books in production without a documented support ticket.
Subprocessors
Vendors that touch customer data. Full DPAs available on request.
- Supabase (on AWS us-east-1) — Postgres, auth, file storage
- Vercel — application hosting & edge runtime
- Plaid — bank data aggregation
- Intuit / QuickBooks — accounting platform integration
- Anthropic / OpenAI — transaction categorization (API tier, no training)
- Stripe — billing & payment processing
- Inngest — background job execution
- Veryfi — receipt OCR
- Resend — transactional email (magic-link sign-in)