Trust & Security

Data protection

• All data in transit is encrypted with TLS.
• Data at rest is encrypted by our cloud database provider.
• Full Social Security numbers and full tax IDs are never returned by the public API. They can only be retrieved through an authenticated server function that records who viewed them.
• Bank routing and account numbers are stored with last-four masking for display.

Access control

• Every table uses row-level security. Firm staff, client portal users, employees, and subcontractors each see only the records they are entitled to.
• Firm staff can be limited to specific clients. Module-level permissions control view, edit, delete, create, approve, and export rights independently.
• Two-factor authentication and trusted-device tracking are available on user accounts.

Auditing

• Sensitive actions — role changes, payroll status changes, sales-tax filings, bookkeeping period closes, journal entries, document uploads, report exports, and reveals of masked fields — are written to an append-only audit log.
• The audit log is read-only in the application and is only viewable by firm admins.

Privacy

We only process data that an accounting firm enters or uploads in order to operate the firm. We do not sell personal information. Data is deleted when an account or client is deleted, subject to retention requirements that the firm sets.

Reporting a security issue

If you believe you have found a security vulnerability in FirmHQ, please contact your firm administrator, who can reach our team through the support channel configured for your workspace. Please do not include real production data in your initial report.