Security & Trust Centre

Enterprise Trust & Procurement

AccountScope is engineered to meet the strict security, compliance, and confidentiality requirements of UK law firms, Big 4 advisors, forensic accounting practices, and financial regulatory bodies.

1. Security & Encryption

AccountScope enforces the highest encryption standards to secure financial evidence registers. Access controls implement the principle of least privilege, preventing unauthorized transaction data visibility.

TLS 1.3 Encryption

All data in transit between users and our application is encrypted using Transport Layer Security (TLS 1.3) protocols. HTTPS is strictly enforced.

AES-256 at Rest

All transactional details, files, metadata, and database records are encrypted at rest using AES-256 encryption. Encryption keys are rotated automatically.

Tenant Isolation

Logical separation of data ensures that tenant groups can never view or modify transaction logs belonging to separate clients.

Audit Log Chains

Every administrative override, category revision, and transaction exclusion is permanently recorded in structured audit log databases.

2. Data Protection & UK GDPR

AccountScope acts as a Data Processor, operating strictly under the documented instructions of our customers (Data Controllers). We adhere to UK GDPR principles and security regulations.

UK GDPR Compliance

AccountScope meets all UK GDPR criteria, implementing comprehensive Data Protection Impact Assessments (DPIAs) and maintaining records of processing activities.

DPA Availability

A signable UK GDPR-compliant Data Processing Addendum (DPA) is available in account settings, setting out our obligations on data transfer and processing.

3. Compliance & Audits

We align our internal security controls with global standards to ensure external credibility.

REGISTRATION

ICO Registration: In Progress

AccountScope has initiated registration with the UK Information Commissioner's Office (ICO). We process all personal information in accordance with UK GDPR guidelines.

CERTIFICATIONS

SOC 2 & ISO 27001 Roadmap

We are currently preparing for our SOC 2 Type I audit and Cyber Essentials Plus certifications, with targets scheduled throughout 2026.

4. Infrastructure & Resilience

Our platform operates on a robust, UK-hosted cloud infrastructure designed to survive server failures, network loss, or database outages.

UK London Residency

All relational data and document vaults reside strictly within AWS London Region (eu-west-2). No statement data is transferred outside the UK.

Disaster Recovery (RTO & RPO)

We replicate databases continuously across Availability Zones. Our target Recovery Point Objective (RPO) is under 24 hours, and our target Recovery Time Objective (RTO) is under 4 hours.

5. Data Retention & Purging Policies

To prevent long-term exposure of sensitive financial documents, AccountScope enforces customizable data retention policies designed around UK GDPR/DPA guidelines.

Original Statement PDFs

The raw statement files uploaded by users. Configurable for Professional/Enterprise tiers.

30, 90, 180 Days or Lifetime

Extracted Transaction Ledgers

Structured transaction database tables preserved for report consistency and audit integrity

Subscription Duration

Exported Report Archives

Generated PDF summaries and Excel schedules

365 Days

6. Subprocessors

We only engage subprocessors that maintain rigorous compliance standards.

Entity	Purpose	Location
Supabase, Inc.	Database, Authentication & Secure Object Storage (AWS London Region)	United Kingdom
Amazon Web Services (AWS)	Underlying Cloud Infrastructure & Backups (London Region)	United Kingdom
Vercel, Inc.	Application Hosting & Edge Functions (Static/Dynamic Router)	UK & Europe
OpenAI, Inc.	Transaction Categorization API. Strip-minimised descriptions only (client names, sort codes, and account numbers are strictly redacted before sending). Zero-Data-Retention (ZDR) endpoints are active. Users can opt-out to use local pattern matching.	Europe / US
Resend, Inc.	Transactional Email Services (Welcome, status, and reset emails)	Europe / US
PostHog, Inc.	Anonymized performance & usage metrics. Financial data, transaction details, and case names are completely excluded from tracking.	Europe
Stripe Payments Europe, Ltd.	Billing Portal & Payment Processing (PCI-DSS Level 1)	UK & Europe

7. Procurement FAQ

Are our statements used to train public AI models?

No. Our transaction categorization engine uses strip-minimised transaction descriptions (completely stripped of sort codes, account numbers, and client names before sending) through OpenAI Zero-Data-Retention (ZDR) enterprise endpoints. The raw bank statement files are parsed locally and never sent to any AI subprocessors. Users can also opt-out of AI-based categorization entirely to rely solely on local pattern matching.

Where does data residency reside?

All relational database fields, file storage caches, and analytical results reside strictly within the AWS London Region (eu-west-2) in the United Kingdom. We do not export statement files across borders.

Can we export and purge data permanently?

Yes. Account administrators can delete cases directly, which triggers immediate, permanent, secure database overwriting and storage purging. Deleted records are unrecoverable.

8. Security & Compliance Roadmaps

Review our verification schedule, certifications timeline, and upcoming B2B enterprise security protocols.

Compliance Roadmap

Q1 2026: UK GDPR compliance audit completed ✓

Q2 2026: SOC 2 Type I audit initiation (planned)

Q3 2026: ISO 27001 certification preparation

Q4 2026: Cyber Essentials Plus certification

Enterprise Security Roadmap

SAML 2.0 Single Sign-On (SSO): Enforce corporate credentials.
Enterprise Roadmap / Pilot Option

Azure AD / Microsoft Entra ID: Seamless office tenant matching.
Enterprise Roadmap / Pilot Option

Okta Authentication Gateway: Centralized auth policies.
Enterprise Roadmap / Pilot Option

SCIM User Provisioning: Automated seat sync.
Enterprise Roadmap / Pilot Option

Need support with security review?

Our security desk assists procurement and compliance teams with detailed Vendor Risk Assessments, security questionnaires (SIG/HECVAT), and bespoke data processing addendums.

security@accountscope.app

SLA Response: Under 4h