AI-powered Bookkeeping and Finance for Startups

AI-powered Bookkeeping and Finance for Startups

Security and Data Privacy

Dated Posted: November 1, 2023

Personal Identifiable Information, PII

  • We do not ask users for unnecessary personal information

  • We do not store any PII

Data storage

User authentication

  • We use Supabase Auth for authentication, which leverages the Postgres' built-in Auth functionality. Supabase is a SOC2 type 2 compliant.


  • We enforce the PostgresSQL’s Row Level Security (RLS) which controls access to data in a database by row, so that users are only able to access the data they are authorized for

  • We support encrypted at REST with AES-256 and in transit via TLS.

  • Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.

SOC2 compliance

  • We currently do not have SOC2 compliance and are planning to get SOC2 type 1 in 4 weeks. We aim to get SOC2 type 2 compliance by Q1 next year

Risk management

  • Same as above, but financial data, good to know distinction between the risks (like losing bank details = ACH fraud)

Email Authentication - DKIM

  • DMARC, set a policy of quarantine or reject. Either SPD or DKIM set up can bypass DMARC

  • SPF, set IP-based

  • DKIM, asymmetrical key to encrypt the email sent on behalf

  • We set up DMARC quarantine policy and DKIM on our DNS server

Google Workspace

Password and security

  • Enabled 2-Step Verification for every employees

  • Security key: passkey, using MacBook fingerprints or the iPhone to replace the need of Yubi key

Access and data control

  • Restrict employees’ from granting OAuth access to their Gmail and Google Drive HR identity manager - Rippling

  • Authentication Policy: We enforce every teammate to enable MFA with Security key Password manager - Keeper

  • Using SSO connect to Rippling

  • Enforced 2FA for all teammates to separate the risk from employee’s Rippling account being compromised

Source code security - Github

  • We require our engineers to use their email to create a new GitHub account.

  • We enforce everyone to use 2FA for their GitHub account

Security practices


  • Cloud hosting - We host all server-side components of our application using on Vercel, an off-premise cloud infrastructure

Governance documented policy and operational information security program

  • Asset management: discovering and maintaining visibility into all network endpoints connected to the production networks

  • perform vulnerability scans against employee

  • endpoint security tools and agents to protect employee

Personal Devices Policy

  • Yes - We allow employee or contractor personal devices to be used for carrying out their job responsibilities, and these devices are centrally managed by us

Access Controls

  • We have defined processes for requesting, granting, reviewing, approving, and revoking access to production assets and data

  • We have deployed strong factors of authentication (e.g. 2-factor authentication) for all production assets

Change Controls

  • We have a defined process for building and releasing code changes to production assets

  • We do NOT logically enforce the testing of code changes before they're deployed to production assets

  • We logically enforce the review and approval of code changes before they are deployed to production assets


  • We use TLS 1.2 or better for all client-server communications

  • We do NOT encrypt consumer data retrieved from the Plaid API at-rest

Logging and Monitoring

  • We maintain robust audit trails and logs for all material events that occur in our production assets

  • We have monitoring and alerting mechanisms for real-time detection and triage of events that may negatively impact the security of production assets

Incident Management

  • We do NOT have a defined process for detecting, triaging, and resolving security impacting incidents

Network Segmentation

  • Our cloud and on-prem production networks are segmented based on the sensitivity of assets in each sub-network, and their needed exposure to the open internet

Awareness and Training

Data Retention Policy


  • The purpose of this data retention policy is to establish guidelines for the retention and disposal of company data in order to ensure compliance with legal and regulatory requirements, safeguard sensitive information, and manage storage resources efficiently.


  • This policy applies to all employees, contractors, and third parties who handle company data in any form, including electronic and physical records.

Data Classification

  • Data should be classified into different categories based on its sensitivity and importance. Common classifications may include: a. Confidential / Highly Sensitive: Data that contains personally identifiable information (PII), financial information, trade secrets, or other sensitive information that requires strict protection. b. Internal / Operational: Data that is important for day-to-day operations but has a lower level of sensitivity. c. Public: Data that is intended for public consumption and does not require any special protection.

Retention Period

  • Each data category should have a specified retention period, determined based on legal, regulatory, and business requirements. Retention periods may vary depending on the type of data and applicable laws. Some common examples include: a. Confidential / Highly Sensitive: Retain for a minimum of 1 years after the end of the business relationship or legal requirement. b. Internal / Operational: Retain for a minimum of 1 years after creation or receipt. c. Public: No specific retention period required.

Storage and Disposal

  • Data should be stored in secure and appropriate locations based on its classification. Physical records should be stored in locked cabinets or secure off-site facilities. Electronic data should be stored on secure servers with appropriate access controls.

  • When data reaches the end of its retention period, it should be disposed of in a secure and irreversible manner. The method of disposal should be appropriate for the data format, ensuring that it cannot be recovered.

Review and Compliance

  • This policy should be reviewed periodically to ensure its effectiveness and alignment with changing legal and regulatory requirements. Non-compliance with this policy may result in disciplinary action, including termination of employment or legal consequences.