Security & Trust

Built for finance teams who can’t afford to take chances.

Accel Books treats your books like a payment processor treats card data: encrypted, isolated, audit-logged, and continuously monitored. Here’s how — and how we’ll prove it.

Foundations

Six layers protecting every transaction.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest for the database, file storage, and backups. Per-tenant logical isolation enforced by row-level security on every table.

EU-hosted infrastructure

Primary region eu-west (Ireland) with backups in a second EU region. Customer data does not leave the EU/EEA without an explicit cross-border processing agreement.

Strong identity

Email + password with HaveIBeenPwned leak checks, Google SSO, and SAML 2.0 SSO for enterprise plans. Optional 2FA via TOTP. Session tokens are rotated on every refresh.

Granular permissions

Owner, admin, accountant, member and view-only roles. Approval gates for outbound payments. Every privileged action records who, what and when in an immutable ledger.

Append-only audit trail

Financial events and AI agent actions are hash-chained — each entry includes the SHA-256 of the previous one, so tampering is detectable and forensic replay is possible.

Continuous monitoring

Anomaly detection on token usage and spend, automated dependency scans, and weekly authenticated penetration tests against the staging environment.

Compliance

Frameworks we map to.

Independent attestations and reports are available under NDA. Email security@accelbooks.io with your procurement contact and we’ll share the latest package.

GDPR
Full data subject request workflow, EU controller/processor split documented in our DPA, sub-processor registry kept public.
SOC 2 Type II
Controls aligned to the Trust Services Criteria. Type II audit currently in observation window with a Big Four auditor.
ISO 27001
Information security management system modelled on ISO/IEC 27001:2022. Statement of Applicability available under NDA.
PCI DSS SAQ-A
We never store full card numbers. Card data is tokenised by our PSPs (Stripe, GoCardless); we operate within SAQ-A scope.
Irish Revenue
Invoice numbering, VAT-rate handling and audit retention meet Revenue's record-keeping requirements (6-year retention).
HMRC MTD
Making Tax Digital compatible filing for UK VAT-registered customers, with digital links preserved end-to-end.

Controls in depth

Defence across the stack.

Database

  • Row-level security on every customer table
  • Posted ledger entries are immutable — corrections via compensating events
  • Daily encrypted backups, 35-day point-in-time recovery

Development

  • Mandatory peer review on every change
  • Static analysis + secret scanning on every commit
  • Production secrets isolated from non-prod and rotated quarterly

People

  • Background checks for engineers with production access
  • Annual security training and phishing simulations
  • Principle of least privilege — break-glass access is time-boxed and logged

Incident response

  • 24/7 on-call rotation with 15-minute acknowledgement target
  • Customer notification within 72 hours for confirmed personal-data breaches
  • Public post-mortems for any incident affecting more than one customer

Your data stays in the EU.

Primary processing in Dublin (Ireland). Disaster-recovery replica in Frankfurt (Germany). Sub-processors are listed in our public registry.

GDPR & retention

Responsible disclosure

Found something? We want to hear from you.

We operate a coordinated-disclosure programme. Send a detailed write-up to security@accelbooks.io (PGP key on request). We acknowledge within one business day, triage within three, and credit researchers on our hall-of-fame once a fix has shipped. Please don’t test against other customers’ tenants — use a free account for your research.