Security

How we protect your financial data.

Accounting software handles sensitive data. Here's exactly what we do about it.

Our approach

Security isn't a feature — it's a constraint that shapes every decision. We default to the paranoid option: encrypt by default, log everything, grant minimum permissions, and assume breach scenarios during design. Your books deserve the same rigour as a bank's.

Infrastructure

UK Data Residency

All financial data stays in the UK

  • Database hosted in Google Cloud London (europe-west2)
  • Backups stored in UK region only
  • No data transfer outside UK jurisdiction

Encryption

Data encrypted at rest and in transit

  • TLS 1.3 for all connections
  • AES-256 encryption at rest
  • Database connections over private network

Key Management

Secure handling of encryption keys and secrets

  • Encryption keys managed via cloud KMS
  • Regular key rotation policy
  • Secrets stored outside source control
  • Environment-specific credentials only

Access Control

Strict access policies and audit trails

  • Role-based access control (RBAC)
  • All admin actions logged with IP and timestamp
  • No shared credentials, individual accounts only

Application

Data Handling

Clear boundaries on what we store and what we don’t

  • We do not store banking credentials or card numbers
  • Payment processing handled entirely by Stripe
  • Financial data is read-only where possible
  • Sensitive fields are minimised and tokenised where applicable
  • Customer data is never used for testing or development

Authentication

Secure login with modern standards

  • Argon2id password hashing (64MB memory, timeCost 3, parallelism 4)
  • JWT access tokens with 30-minute expiry, paired with rotating refresh tokens
  • Secure, HTTP-only cookie storage for tokens
  • Optional TOTP two-factor authentication

API Security

Protected API access

  • Scoped API keys with granular permissions
  • Baseline rate limiting (100 requests/minute, varies by endpoint)
  • Request logging with full audit trail
  • CORS restricted to authorised domains

Input Validation

All inputs sanitised and validated

  • Server-side validation on all endpoints (Zod + Fastify JSON Schema)
  • Parameterised queries throughout (no SQL injection)
  • Content Security Policy headers
  • XSS protection enabled

Operations

Data Retention

Clear rules on how long we keep your data

  • Customer data is retained while the account is active
  • On cancellation, account data is retained for 90 days for export and recovery
  • After the retention window, account and financial data is permanently deleted
  • Residual backups expire automatically within their 30-day retention window
  • Full data export is available at any time via the API or dashboard
  • Record-keeping obligations under HMRC are the responsibility of the account holder

Environment Separation

Strict isolation between environments

  • Production, staging, and development environments are fully isolated
  • No production data used in non-production systems
  • Access controls enforced per environment
  • Separate credentials and secrets per environment

Backups

Regular automated backups

  • Daily automated database backups
  • Point-in-time recovery available
  • Backups tested monthly
  • Retention: 30 days

Monitoring

Real-time system monitoring

  • Uptime monitoring with alerting
  • Error tracking and logging
  • Performance metrics dashboard
  • Public status page at /status

Incident Response

Clear process for security issues

  • Critical issues acknowledged within 2 hours
  • Live issue tracking and resolution timelines published on our Transparency page
  • Post-incident reviews for all security events
  • Contact: support@speybooks.com

Compliance & Standards

Our current posture

Honest about where we are and where we're heading

  • We follow industry best practices for SaaS security
  • GDPR compliant — UK data residency, data minimisation, right to erasure
  • Controls are designed to be auditable and reviewable
  • We do not currently hold formal certifications (ISO 27001, SOC 2)

Report a Vulnerability

Found a security issue? Email support@speybooks.com with "SECURITY" in the subject line. We operate a coordinated vulnerability disclosure process — all reports are acknowledged within 24 hours and taken seriously. Please allow us reasonable time to investigate and remediate before public disclosure.

Last updated: 5 February 2026

Transparency → Sub-processors → Privacy Policy →