Security & compliance

Your client data, protected like ours.

Bookkeeping data is sensitive: bank lines, vendor patterns, owner contact details. We treat it like medical records. Below is exactly what we do, what we don't do, and what we're still working on. No marketing claims we can't back up.

Compliance

SOC 2 Type I

In progress with Drata. Audit window Jun – Sep 2026. Type II planned 12 months after Type I closes.

GDPR / CCPA

Data subject requests honored within 30 days. Export and delete are self-serve in Settings. We don't sell or share data, ever.

PCI DSS

We never store card data. Stripe handles all payment processing as a PCI Level 1 provider.

Intuit App Partner

QBO API access is granted through Intuit's official partner program. Quarterly security review by Intuit.

Bank credentials

We never see them. Bank connections go through Plaid via OAuth. The token Ledger holds can pull transactions but cannot move money, change passwords, or read non-bank data. You can revoke it at any time from Settings → Bank connections or directly at your bank's portal.

Data at rest

All customer data is stored in Postgres on AWS us-east-1, encrypted with AES-256 at the volume level.
Per-firm row-level security in the database — there is no application path that can read across firms, even if the application had a bug.
Sensitive fields (owner email, phone, account numbers) are additionally encrypted at the column level with rotating keys.
Backups are encrypted, retained 30 days on Pro and 1 year on Team, and destroyed on firm deletion.

Data in transit

TLS 1.3 only. HSTS preload. We don't downgrade. auth@ledgerinbox.com and all outbound mail are DKIM/SPF/DMARC signed; replies use a unique reply-to token to prevent forwarding leaks.

What the AI sees

The categorization model (Claude Sonnet) receives only the bank-line description, the amount, the date, and your firm's policy memory for that vendor. It never sees balances, payroll details, client contact info, or any data outside the categorization context. All prompts and completions are logged for audit; no training is done on customer data.

Vulnerability disclosure

If you find a security issue, please email security@ledgerinbox.com. We respond within one business day, fix critical issues within 7 days, and pay bounties for verified findings ($100 – $5,000 depending on severity). Our PGP key is at ledgerinbox.com/.well-known/security.txt.

Hall of fame

Researchers who have responsibly disclosed issues to us. Sarah Kim (RBAC bypass, Mar '26 — fixed in 4h). @nullcaller (CSRF on rule import, Apr '26 — fixed in 12h). Tanvir A. (Plaid token leak via export, May '26 — fixed in 2h).

What we don't do

Sell, share, or analyze customer data for any purpose other than running the service.
Train AI models on customer data.
Send marketing emails to your clients without your explicit consent.
Allow Ledger staff to read your books in production without a documented support ticket.

Subprocessors

Vendors that touch customer data. Full DPAs available on request.

AWS (us-east-1) — infrastructure, encrypted storage
Plaid — bank data aggregation
Intuit / QuickBooks — accounting platform integration
Anthropic — categorization model (no training, zero-retention)
Stripe — payment processing
WorkOS — SSO/SCIM (Team plan only)
Veryfi / Mindee — receipt OCR