chasedesk.
Start free

Security

Built for trust.

Bookkeepers handle some of the most sensitive data their clients have. We treat that responsibility seriously — here's exactly how your data is stored, transmitted, and isolated.

Encrypted at rest

Xero OAuth tokens (access + refresh) are encrypted with AES-256-GCM using a per-deployment 32-byte key before being written to Postgres. Even with database read access, tokens are unreadable.

Encrypted in transit

All traffic uses TLS 1.3. The Supabase REST API, Xero API, Postmark, Twilio, and Anthropic endpoints are HTTPS-only. Magic-link upload tokens are URL-safe random 24-byte values.

Strict tenant isolation

Every table that holds firm data has Row-Level Security enforced at the Postgres layer. A firm can only read its own clients, chase runs, documents, messages, and tokens — verified by automated tests.

No PII in logs

We never log client emails, document contents, Xero data, or extracted financial details. Sentry breadcrumbs are scrubbed of PII. Only firm IDs and operation names appear in error reports.

Document storage

Uploaded receipts and statements live in your private Supabase Storage bucket, scoped under firms/{firm_id}/clients/{client_id}/. Access is gated by signed URLs (5-minute TTL) — never public.

Deletion on request

Email privacy@chasedesk.app and we delete your firm row, all child records, and all storage objects within 30 days. Disconnect Xero from Settings to revoke tokens immediately.

What we share with subprocessors

  • Xero
    Your firm's contacts + bank transactions for the connected org. We have read access to contacts, read+write to bank transactions, and write to attachments.
  • Anthropic
    The bytes of an uploaded receipt or statement when AI extraction runs. Anthropic does not retain this data per their API policy.
  • Mindee
    (Optional) The bytes of an uploaded receipt only when Mindee OCR is the chosen path. Tries first; falls back to Anthropic if confidence is low.
  • Postmark
    Outbound email content sent to your SMB clients on your behalf. Inbound replies are processed and discarded.
  • Twilio
    Outbound SMS body + recipient number. MMS attachments are pulled with basic auth.
  • Supabase
    Hosts our Postgres database, auth, and storage bucket — all in a single region you control.

Compliance posture

We are pre-revenue and not yet SOC 2 certified. We are designed to meet SOC 2 Type II controls and plan to begin the audit window once we hit 25 paying firms. Until then:

  • · Encryption at rest + in transit by default
  • · Tenant isolation enforced at DB layer
  • · Secret rotation supported (re-encrypt + new keys)
  • · Backup snapshots daily (Supabase managed)
  • · Single owner with least-privilege ops access

Need a security review or DPA for your firm? Email security@chasedesk.app.