ArdentAces
Trust & security

Your clients' data deserves institutional-grade handling. We agree.

Every CPA firm, every business owner, and every end-client we serve is protected by the same security and confidentiality standards we'd expect if the books were our own.

The principle

Security isn't a feature. It's the foundation.

The fastest way to lose a CPA firm's trust — and their clients' trust — is to mishandle data. We built A&A with that risk at the top of the design, not as an afterthought. The sections below describe the actual controls, contracts, and practices that govern every engagement.

Contractual protections

The paperwork we sign before we see a single transaction.

Mutual Non-Disclosure Agreement (NDA)

Every engagement begins with a signed mutual NDA covering the firm, the client, and every individual bookkeeper assigned to the account. We can work under your firm's NDA template or provide our own.

Individual staff confidentiality bindings

Every A&A bookkeeper signs a personal confidentiality binding as a condition of employment. These bindings extend beyond the end of any client engagement.

Data Processing Addendum (DPA)

For firms that require one — which we recommend for any CPA engagement — we provide a standard DPA aligned with CCPA and other US privacy-law expectations. Custom DPAs are welcomed; we'll sign yours.

Engagement Letters

Every engagement is governed by a written engagement letter specifying scope, confidentiality, data handling, termination rights, and governing law.

Data security

How your data actually moves, and where it lives.

In transit

All file transfers use encrypted channels — SFTP, secure client portals (ShareFile, SmartVault, or equivalents), or the native secure sharing within QuickBooks Online and Xero. Email attachments containing client data are not permitted except in encrypted-PDF form where unavoidable.

At rest

Client data is never stored on personal devices. Approved working environments use role-based access controls, full-disk encryption, and enforced session timeouts. Locally cached files are automatically purged at session end.

Access controls

Multi-factor authentication is enforced on every software platform — QuickBooks Online, Xero, file portals, email, and internal systems. Access to a client's environment is restricted to the specific bookkeepers assigned to that client.

Segregated assignments

A&A bookkeepers assigned to a CPA firm or direct client work exclusively within that client's environment. We do not assign the same bookkeeper to competing firms without prior written consent.

Staff security

The people, not just the software.

Background checks

Every A&A employee undergoes professional and criminal background verification before onboarding.

Credential verification

Every bookkeeper's professional credentials — CIMA, ACCA, CA — are verified with the issuing body at the time of hire.

Physical security

A&A operates from secured facilities with access-controlled entry, visitor logging, and no personal storage devices (USB drives, external hard drives) permitted in working areas.

Training & ongoing compliance

Every staff member completes annual training covering confidentiality, data handling, anti-fraud, and client-specific security requirements.

Compliance roadmap

Where we are, and where we're going.

Current
  • CCPA-aware data handling practices
  • GDPR-aware data handling for any EU-exposed engagements
  • Mutual NDA on every client engagement
  • DPA available on request
In progress — SOC 2 Type II
  • Readiness audit targeted within 12 months
  • Full SOC 2 Type II report within 18–24 months from launch
  • Certification status shared openly during discovery
Future
  • ISO 27001 (data security management)
  • PCI DSS scope assessment (card-data clients)
  • State-level privacy expansions as US regulation evolves
Incident response

If something goes wrong, you hear it from us first.

Every engagement is governed by a written incident response protocol. In the event of any suspected data incident — breach, unauthorized access, lost device, or even a credible near-miss — we notify the affected client within 24 hours of discovery, followed by a written report documenting scope, timeline, and remediation. We treat incident disclosure not as a liability, but as a professional obligation.

Software we work in

Your stack, secured.

We work natively in the platforms your firm or business already uses. Our standards for security apply regardless of platform.

  • QuickBooks Online
    QBO ProAdvisor team, MFA enforced, role-based access
  • Xero
    Xero Certified team, MFA enforced, partner-level access controls
  • Wave / Zoho Books
    For Starter-bracket clients, MFA where available
  • Bill.com, Gusto, Dext, Hubdoc & similar integrations
    MFA enforced, least-privilege access
FAQ

Questions we're happy to answer.

Can we audit your security practices?+

Yes. Enterprise clients and larger CPA firms are welcome to request a security questionnaire, vendor risk assessment, or direct review of our controls before engagement.

Where is the work performed?+

Within our secured facilities in Sri Lanka. Client data does not move outside of approved working environments.

What happens to our data if we end the engagement?+

All client data is returned (or securely destroyed, at your election) within 30 days of engagement termination. Written confirmation provided.

Can you sign our firm's DPA / vendor agreement / NDA template?+

Yes — we prefer to work under your paper when you have it. Our templates are available when you don't.

Skepticism welcome

Questions are welcome. Skepticism is healthy.

If you have specific security requirements, compliance concerns, or a vendor risk assessment we need to complete — we'd rather address them on a call than in an email exchange.

Book a security & scoping reviewOr email hello@ardentandaces.com