Information Security Policy

1. Scope and Applicability

This policy applies to all information assets owned, operated, or managed by BookKeeping.business, including:

Client financial data (transactions, bank records, tax documents, payroll records, receipts)
Our web application and client portal hosted on Vercel
Our database and file storage infrastructure on Supabase (PostgreSQL + Storage)
Third-party vendor platforms used in service delivery (detailed in Section 8)
Internal systems, credentials, API keys, and operational tooling
All personnel, contractors, and authorized third parties with access to the above

2. Risk Identification and Assessment

We maintain a formal risk assessment process to identify, evaluate, and prioritize information security risks:

2.1 Risk Assessment Methodology

Frequency: Comprehensive risk assessments are conducted annually, with targeted assessments performed when significant changes occur (new vendors, infrastructure changes, new service offerings).
Scope: Assessments cover all information assets, data flows, access points, vendor integrations, and operational processes.
Classification: Risks are classified by likelihood and impact using a standardized risk matrix (Critical, High, Medium, Low).
Ownership: Each identified risk is assigned an owner responsible for implementing and monitoring mitigation controls.

2.2 Key Risk Categories

Unauthorized access to client financial data
Data breach or exfiltration from application or database layer
Credential compromise (staff, API keys, service accounts)
Third-party vendor security incidents
Data loss due to infrastructure failure or human error
Regulatory non-compliance (IRS, state tax authorities, financial regulations)
Social engineering and phishing attacks targeting staff

3. Risk Mitigation Controls

3.1 Data Encryption

In transit: All data transmitted between clients, our application, and third-party services is encrypted using TLS 1.2 or higher (256-bit SSL).
At rest: All data stored in our database (Supabase PostgreSQL) and file storage (Supabase Storage) is encrypted using AES-256 encryption.
Secrets management: API keys, database credentials, and service tokens are stored in encrypted environment variables managed by Vercel. Secrets are never committed to source code or transmitted in plaintext.

3.2 Access Controls

Authentication: All user access requires email/password authentication via Supabase Auth with session-based cookie management. Multi-factor authentication (MFA) is enforced for all administrative and staff accounts.
Authorization: Row-Level Security (RLS) is enforced at the database level. Users can only access data belonging to their own organization. Administrative operations require a separate service role key.
Least privilege: Staff access to client data is granted on a need-to-know basis. Database service role keys are restricted to server-side operations and never exposed to client-side code.
Session management: Sessions are managed via secure, HTTP-only cookies with appropriate expiration. Inactive sessions are terminated automatically.

3.3 Application Security

Input validation: All user inputs are validated and sanitized server-side before processing.
Parameterized queries: All database operations use parameterized queries to prevent SQL injection.
CSRF protection: Cross-site request forgery protections are implemented via Supabase Auth session tokens.
Dependency management: Third-party dependencies are monitored for known vulnerabilities. Critical patches are applied within 48 hours of disclosure.
Webhook verification: All inbound webhooks (Stripe, Gusto, Postmark) are verified using cryptographic signatures before processing.

3.4 Infrastructure Security

Hosting: Our application is hosted on Vercel, which maintains SOC 2 Type II compliance, with automatic DDoS protection and edge network security.
Database: Our database is hosted on Supabase (AWS infrastructure), which maintains SOC 2 Type II compliance with automated backups, point-in-time recovery, and geographic redundancy.
No self-managed servers: We do not operate physical servers or self-managed cloud instances. All infrastructure is managed by SOC 2 compliant platform providers, reducing our attack surface.

4. Monitoring and Detection

Audit logging: All data access, modifications, and administrative actions are logged with timestamps, user identifiers, and action details.
Anomaly detection: Unusual access patterns (e.g., bulk data exports, access from new locations, repeated failed authentication attempts) trigger automated alerts.
Uptime monitoring: Application availability is monitored continuously with automated alerting for downtime or degraded performance.
Vendor monitoring: We monitor the security posture and incident disclosures of all third-party vendors used in service delivery.
Stripe webhook monitoring: Payment webhook delivery and processing is monitored for failures, with automatic retry handling.

5. Incident Response

We maintain a documented Incident Response Plan (IRP) that defines procedures for detecting, responding to, and recovering from security incidents:

5.1 Incident Classification

Severity	Definition	Response Time
Critical	Confirmed data breach, unauthorized access to client financial data, or compromise of authentication systems	Immediate (within 1 hour)
High	Suspected unauthorized access, credential compromise, or vendor security incident affecting our data	Within 4 hours
Medium	Vulnerability discovered in application or dependency, failed intrusion attempt, or policy violation	Within 24 hours
Low	Minor configuration issue, non-exploitable vulnerability, or informational security event	Within 72 hours

5.2 Response Procedures

Containment: Immediately isolate affected systems, revoke compromised credentials, and block unauthorized access vectors.
Investigation: Determine the scope, root cause, and impact of the incident through log analysis and forensic review.
Notification: Affected clients are notified within 72 hours of a confirmed breach, in compliance with applicable state breach notification laws. Regulatory authorities are notified as required.
Remediation: Implement fixes to prevent recurrence, update security controls, and document lessons learned.
Post-incident review: Conduct a formal review within 14 days of incident resolution to update risk assessments and improve controls.

6. Personnel Security

Background checks: All personnel with access to client financial data undergo background verification before access is granted.
Security training: All staff complete information security awareness training upon onboarding and annually thereafter. Training covers phishing recognition, data handling procedures, and incident reporting.
Acceptable use: All personnel acknowledge and adhere to an acceptable use policy governing the handling of client data, use of company systems, and security responsibilities.
Offboarding: When personnel leave the organization, all access is revoked within 24 hours, including application accounts, API keys, vendor platform access, and email.

7. Data Protection and Privacy

Data classification: All client data is classified as Confidential. Internal operational data is classified as Internal. Public-facing content is classified as Public.
Data minimization: We collect and retain only the data necessary to deliver our services. Unnecessary data is not collected.
Data retention: Client data is retained for the duration of the engagement. Tax preparation data is retained for 3 years post-filing per IRS guidelines. All other data is permanently deleted within 7 days of engagement end. See our Data Retention and Disposal Policy for full details.
Data sharing: Client data is never sold, rented, or shared with third parties for marketing purposes. Data is shared only with the vendor platforms necessary to deliver our services (see Section 8).

8. Third-Party Vendor Management

BookKeeping.business uses industry-leading third-party platforms to deliver our services. Each vendor is selected based on their security posture, compliance certifications, and data handling practices. We maintain a vendor risk register and review vendor security annually.

Vendor	Purpose	Data Stored	Compliance
Intuit QuickBooks Online	Accounting platform — general ledger, chart of accounts, financial reports	Transaction data, vendor/customer records, financial statements	SOC 1 & SOC 2 Type II, PCI DSS
Gusto	Payroll processing — employee payroll, tax withholding, W-2/1099 filing	Employee PII, SSNs, bank account info, payroll records	SOC 1 & SOC 2 Type II
Bill.com	AP/AR automation — vendor bill payments, customer invoicing, ACH/check processing	Vendor/customer records, payment details, bank routing info	SOC 1 & SOC 2 Type II, PCI DSS
Supabase	Database and file storage — client portal data, documents, receipts	Client records, uploaded documents, portal data	SOC 2 Type II (AWS infrastructure)
Stripe	Payment processing — subscription billing, checkout sessions	Payment card data (tokenized), billing records	PCI DSS Level 1, SOC 2 Type II
Vercel	Application hosting — web application, API routes, edge network	Application code, environment variables (encrypted)	SOC 2 Type II
Plaid	Bank account connectivity — secure bank feed access for transaction data	Bank account tokens (no credentials stored by us)	SOC 2 Type II, ISO 27001

8.1 Vendor Security Requirements

All vendors processing client data must maintain SOC 2 Type II certification or equivalent.
Vendors must encrypt data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Vendors must provide breach notification within 72 hours of a confirmed incident.
We review vendor security certifications and incident history annually.
Vendor access to client data is limited to the minimum necessary for service delivery.

8.2 Data Flow Transparency

Client financial data flows through the following systems as part of our service delivery:

Bank transactions: Fetched via Plaid (tokenized access) or manually uploaded by the client → stored in our Supabase database → synced to QuickBooks Online for reconciliation.
Payroll data: Employee information entered in Gusto → payroll processed by Gusto → payroll journal entries synced to QuickBooks Online.
AP/AR data: Vendor bills and customer invoices processed through Bill.com → payment execution via ACH/check → synced to QuickBooks Online.
Receipts and documents: Uploaded to our portal → stored in Supabase Storage (encrypted) → processed by our AI extraction pipeline → categorized in QuickBooks Online.
Subscription payments: Processed by Stripe → payment card data is tokenized and never stored on our servers.

At no point does BookKeeping.business store raw bank credentials, payment card numbers, or Social Security numbers on our own servers. Sensitive credentials are managed exclusively by the respective vendor platforms (Plaid for bank access, Stripe for payment cards, Gusto for employee SSNs).

9. Business Continuity

Automated backups: Database backups are performed automatically by Supabase with point-in-time recovery capability. Backups are encrypted and stored in a geographically separate region.
Redundancy: Our application is deployed across Vercel's global edge network with automatic failover. Database infrastructure runs on AWS with multi-availability-zone redundancy.
Recovery objectives: Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour.
Vendor continuity: All critical vendor platforms (QuickBooks, Gusto, Bill.com, Supabase, Stripe) maintain their own business continuity and disaster recovery programs with published SLAs.

10. Compliance

IRS regulations: We comply with IRS recordkeeping requirements for tax preparers, including data retention periods and preparer identification requirements.
State regulations: We comply with applicable state data breach notification laws and financial services regulations.
PCI DSS: We do not store, process, or transmit cardholder data directly. All payment processing is handled by Stripe (PCI DSS Level 1 certified). Our application is designed to maintain PCI DSS compliance through tokenization.
SOC 2 alignment: Our security controls are aligned with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). All infrastructure vendors maintain SOC 2 Type II certification.

11. Policy Governance

Policy owner: The Information Security Policy is owned and maintained by the BookKeeping.business leadership team.
Review cycle: This policy is reviewed and updated at least annually, or whenever significant changes occur to our systems, vendors, or regulatory environment.
Exception process: Any exceptions to this policy must be documented, risk-assessed, approved by leadership, and reviewed quarterly.
Enforcement: Violations of this policy may result in disciplinary action, up to and including termination of employment or contract, and may be reported to relevant authorities.

12. Contact

For questions about this policy, to report a security concern, or to request information about our security practices:

Email: security@bookkeeping.business

General inquiries: hello@bookkeeping.business

Security concerns are triaged within 4 hours during business hours.

Related Policies

Privacy Policy — How we collect, use, and protect personal information
Data Retention and Disposal Policy — Retention periods and secure disposal procedures
Terms of Service — Service agreement and client responsibilities

Policy Statement

Encryption

Access Control

Monitoring

Data Protection

Incident Response

Continuous Review