Security at Ledgable

Trust is the precondition of accounting software. This page is the operator-readable record of what we do to earn it.

What we encrypt and how

  • Tax File Numbers (TFN): AES-256-GCM at rest. Per Privacy (TFN) Rule 2015. The encryption key is provisioned via Vercel Sensitive env vars, never written to disk in cleartext. Decryption operations are audited - every TFN access creates a row in tfn_access_log with the actor, reason, and timestamp.
  • Audit-log circuit breaker (fail-closed): if our audit-log writer fails 5 times in 60 seconds, every subsequent TFN decryption refuses. A flapping audit pipeline cannot mask reads - it stops them. Manual reset by oncall after the underlying incident is resolved.
  • Stripe webhooks + ATO transmission payloads: WS- Security XML signing on every STP transmission to the ATO; raw Stripe webhook bodies are signature-verified before any database writes.

Tenant isolation

Workspace-scoped Prisma queries are enforced at the helper layer (see lib/practice/security/tenant-scope.ts). Every path-parameter resource fetch goes through a tenant-scope helper; cross-tenant ids return 404 indistinguishable from "doesn't exist" so attackers cannot enumerate ids belonging to other tenants. A CI guard ratchets this baseline so regressions fail at PR review.

Payment data

We never store full card numbers. Stripe handles all PAN data at PCI-DSS Level 1. We store only Stripe customer ids, subscription state, and tokenised payment-method references. The Stripe webhook receiver verifies signatures on every event and writes to an idempotency table keyed on Stripe event id.

Data residency

Database hosted in Sydney (Supabase ap-southeast-2). OCR via AWS Textract in ap-southeast-2 (see the provider decision doc at lib/ocr/providers/PROVIDER_DECISION.md). Serverless compute currently runs in Vercel bom1 (Mumbai); migration to syd1 (Sydney) is tracked in DEPLOY-NOTES-2026-07-03.md and will complete the full-stack Australian data residency picture. Email delivery via Resend (US) - email content is itself not PI; the Australian Privacy Principle 8 obligations for the small amount of name-and-address content in transactional emails are met under the existing accounting-services exception. Document AI cross-border consent flow is on the roadmap before any Google Cloud OCR provider is enabled.

Audit cadence + incident response

Internal security audits run on a 2-day cadence as part of the development pipeline; findings are tracked in docs/audit/. An incident playbook lives at docs/security/incidents/and includes the response to a credential leak (rotation playbook with explicit revocation, rotation, regression-test, and operator- verification steps).

Backups and recovery

Database point-in-time recovery via Supabase. Daily snapshot retention is 7 days on the free tier; we move to 30 days as part of the production-tier upgrade. STP transmission audit rows have a 5-year compliance retention enforced by the absence of any DELETE statements in the application code paths.

What's NOT yet certified

Honesty section - relevant for B2B accounting buyers:

  • SOC 2 Type II: planned, not yet certified. We're targeting Q4 2026 audit window. Internal controls follow the SOC 2 Trust Services Criteria but the third-party audit is upcoming.
  • ISO 27001: roadmap item. Not yet pursued.
  • DSP (Digital Service Provider) STP registration: in progress. STP transmission infrastructure is shipped and tested end-to-end against the ATO test environment, but live transmission to ATO production is gated by DSP registration (typically 6+ month timeline). The kill switch (STP_TRANSMISSION_ENABLED) stays default-OFF until DSP registration completes.

Reporting a security issue

Email security@ledgable.co with details. We acknowledge within 24 business hours and will keep you updated on remediation. Coordinated disclosure encouraged.

Further reading

Security - Ledgable