Security, taken personally.
It's your money and your business. Here is exactly how we treat the data that describes both.
Bank credentials never touch us
Bank connections go through Plaid, the same provider used by Venmo and American Express. You authenticate directly with your bank inside Plaid's secure widget. SmallBooks never sees your banking username or password.
Access tokens encrypted at rest
The tokens Plaid issues us are encrypted with AES-256-GCM before they're stored, and are only ever decrypted inside our API at the moment of a sync. They are never sent to your browser.
Tenant isolation at the database layer
Every row of your data is bound to your organization, enforced by PostgreSQL row-level security; isolation is a database guarantee, not an application convention.
Private file storage
Receipts and statements live in private object storage with organization-scoped paths. Files are only served through our API after your membership is verified, there are no public URLs.
Encryption in transit
All traffic, browser to app, app to API, API to providers, is TLS-encrypted. Our domains are HTTPS-only.
Least-privilege team access
Module-based permissions let you give a bookkeeper reports without invoices, or a partner bills without banking. The server enforces access on every request; hiding a button is never the security boundary.
Accountable changes
Payments, voids, deletions, permission changes, and period locks are written to an audit log, and books can be locked after closing so history can't quietly change.
Your data is yours
We don't sell or share your financial data, and we don't train AI models on it. Export your reports any time; delete your organization and its data, including files and bank connections, whenever you choose.
Found a vulnerability? Please report it to [email protected] , we take reports seriously and respond quickly.