Your client data is the entire game.
A CPA firm's whole business runs on the trust their clients place in them. We treat that trust as ours to defend. Here's exactly how we do it — no marketing fog, no vague "enterprise-grade" claims.
How we think about security.
Every control we run falls into one of four categories. The goal isn't to collect certifications — it's to make a breach not happen, and to make sure that if something ever does, we know about it fast and you hear about it faster.
Identity & access
Who can log into what, from where, with what factor. The first line and the most-tested one.
Data handling
How credentials, files, and information move between us, you, and your end-clients. Email is never the channel.
People & process
Hiring, NDAs, training, and the daily rhythms that make a careless mistake very hard to make.
Response
What happens the moment something doesn't look right. Notification timelines that beat regulatory deadlines.
Two-factor on everything.
Most leaks in our industry come from one bad password. We engineer that risk out of the workflow.
- Mandatory 2FA on every client login, no exceptions. Authenticator apps preferred over SMS where available.
- Password vault only. Credentials flow through Keeper, 1Password, LastPass, or whatever vault your firm uses. Never email. Never chat. Never sticky notes.
- Least privilege. Each team member gets access only to the clients they actively work on. When a project ends, access is revoked the same day.
- Restricted device access. Work happens on managed devices with full-disk encryption and screen-lock policies enforced.
- No personal devices in scope for client data — and we don't let team members install client logins on phones.
Encrypted in motion, encrypted at rest.
When data moves between you, us, and your end-clients' platforms, it's protected the whole way. When it's sitting still, it's protected then too.
TLS 1.2 or higher
Every connection to and from our systems uses modern TLS. No legacy protocols, no exceptions.
At-rest encryption
Stored files and working data sit on encrypted volumes. If a disk walks off, it's still a brick.
Secure file exchange
Documents move through your portal of choice — ShareFile, SmartVault, Box, Google Drive shared workspaces. Not email attachments.
Session timeouts
Inactive sessions on client platforms log out automatically. No unattended QBO windows sitting open overnight.
Workspace segregation
Each client engagement is logically isolated. One client's data never touches another's working area.
Audit trails
Every adjustment, reconciliation, and judgement call is logged in workpapers your reviewer can audit. Nothing happens off the record.
The weakest link is always a person.
Tools fail people, but people fail more often. We hire carefully and we keep the daily rhythms tight.
- Background-checked hires. Every team member with access to client data is verified before they join.
- Individual NDAs. Every Xynnlit team member signs an individual confidentiality agreement that survives the end of their employment. The firm-level NDA we sign with you sits on top of it.
- Onboarding security training covers phishing, credential hygiene, social engineering, and the specific risks that hit U.S. bookkeeping work — fake "client" emails asking for wire transfers being the headline one.
- Quarterly refreshers. Security isn't a one-time slide deck. The team retrains regularly and we update materials when the threat landscape shifts.
- Documented SOPs for every recurring task. The fewer things that depend on someone remembering a step, the fewer accidents happen.
- Mandatory peer review on adjustments above a defined materiality threshold. Two eyes on anything that could move a number.
If something breaks, you hear from us first.
No system is unbreakable. The difference between a manageable incident and a disaster is how fast it's detected and how directly it's communicated.
- Documented response plan. We don't improvise. There's a written runbook for credential compromise, suspected phishing, data exposure, and vendor incidents.
- Notification within 72 hours of confirmed incident affecting your data, or sooner where contractually required. We aim for "as soon as we know enough to be useful" — not "after legal review and a polished press release."
- Root cause analysis shared with the affected client firm. You see what happened, what changed because of it, and what won't happen again.
- Post-incident review built into our internal process. Every incident, however small, becomes a control improvement.
Where we stand on certifications.
We'd rather be honest about the current state than oversell it. Here's where we are.
What we do today: our controls are designed to meet the obligations our CPA-firm clients face under their own professional standards — including the confidentiality requirements of AICPA Code of Professional Conduct §1.700 and the safeguarding expectations under the Gramm-Leach-Bliley Act for client financial information. We sign Data Processing Agreements and tailored security addenda as part of engagement.
What we're working toward: formal SOC 2 Type II readiness is on our roadmap. We'll publish the report when it's real, not before. We won't put a "SOC 2 compliant" badge on the site until there's an auditor's report behind it.
What we can give you now: a written security questionnaire response, references from existing clients, and a security-and-confidentiality call with whoever runs IT at your firm. Ask.
Vetting us before you send anything sensitive?
Smart. Book a 30-minute call with the team that would actually run your account. Bring your security questionnaire — we'll work through it on the call.
Book an intro call