Accounted Security: How We Protect Your Data

Your Financial Data Deserves Bank-Grade Protection

When you trust a bookkeeping service with your financial data, you're sharing some of the most sensitive information in your life: what you earn, what you spend, who you pay, and where your money goes. That's not something to take lightly.

We built Accounted's security architecture from the ground up, not as an afterthought bolted onto a product. Every layer -- from how we connect to your bank, to how we process your data, to how we store your receipts -- is designed to protect your information to the highest standard.

This guide explains exactly how we do it, in plain English.

Encryption: The Foundation

Encryption converts your data into unreadable code that can only be decrypted with the correct key. Accounted uses encryption at every stage:

Data in Transit (TLS 1.3)

Every piece of data that moves between your device, WhatsApp, our servers, and your bank is encrypted using TLS 1.3 -- the latest version of Transport Layer Security. This is the same encryption protocol used by UK banks, the NHS, and government services.

TLS 1.3 means that even if someone intercepted the data as it travelled across the internet, they'd see nothing but meaningless noise.

Data at Rest (AES-256)

Every piece of financial data stored on our servers is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). This is the encryption standard used by:

• Major UK banks (Barclays, HSBC, Lloyds, NatWest)
• The UK government for classified information
• The US Department of Defence

AES-256 is considered computationally unbreakable with current technology. Even with the most powerful supercomputers available today, breaking a single AES-256 key would take longer than the age of the universe.

Your transaction data, receipt images, tax calculations, and personal details are all encrypted at rest. If our storage were somehow physically accessed, the data would be unreadable.

WhatsApp Encryption

WhatsApp uses the Signal Protocol for end-to-end encryption. This means messages between you and Penny are encrypted on your device and can only be decrypted by the intended recipient. Neither WhatsApp nor Meta can read the content of your messages.

We use the official WhatsApp Business API via Twilio. Messages are processed through Twilio's infrastructure, which is SOC 2 Type II certified and compliant with major security frameworks.

Open Banking: Your Credentials Stay with Your Bank

This is one of the most important security decisions we made: Accounted uses Open Banking exclusively for bank connections. We never, ever ask for your bank login credentials.

How Open Banking Works

When you connect your bank to Accounted:

1. You're redirected to your bank's own website or app
2. You log in with your bank's credentials on your bank's system
3. Your bank creates a secure, tokenised connection to Accounted
4. Accounted receives a read-only access token -- not your username and password

We never see your password, PIN, or security codes. The connection is authenticated entirely through your bank's existing security infrastructure. Read our Open Banking guide for the full technical details.

Why This Matters

The alternative -- screen scraping -- requires you to share your actual bank login details with a third party. This means:

• If the third party is breached, your bank account is exposed
• You may be violating your bank's terms of service
• Your bank can't distinguish between you logging in and the scraper

Open Banking eliminates all of these risks. The connection is read-only (we can't move your money), FCA-regulated (our provider must meet strict security standards), and revocable (you can disconnect at any time).

Our Open Banking provider, TrueLayer, is authorised and regulated by the Financial Conduct Authority. They undergo regular security audits and penetration testing.

Infrastructure Security

Cloud Infrastructure

Accounted runs on enterprise-grade cloud infrastructure with:

• Geographic redundancy -- your data is replicated across multiple UK data centres
• Automatic failover -- if one server fails, another takes over seamlessly
• DDoS protection -- distributed denial-of-service attacks are mitigated at the network edge
• Regular penetration testing -- independent security firms test our defences regularly

Database Security

Our database layer includes:

• Row-level security -- each user's data is isolated at the database level. Even if application logic had a bug, the database would prevent one user from accessing another's data.
• Encrypted connections -- all database connections use TLS encryption
• Automated backups -- encrypted backups run continuously, retained for disaster recovery
• No shared tenancy risks -- data isolation is enforced at the infrastructure level, not just the application level

Access Controls

Internally, access to production data is strictly controlled:

• Principle of least privilege -- team members only have access to the systems they need for their role
• Two-factor authentication required for all infrastructure access
• Audit logging -- all access to sensitive systems is logged and monitored
• No developer access to production data -- we use anonymised data for development and testing

What Data We Collect (and What We Don't)

Data We Collect

• Personal details: Name, email address, phone number
• Bank transaction data: Transaction date, amount, merchant name, description (via Open Banking)
• Receipt images: Photos you send to Penny, and the extracted data
• Categorisation data: How you categorise your transactions
• Tax calculations: Estimated tax positions based on your data
• Conversation data: Your WhatsApp messages with Penny (necessary to provide the service)

Data We Don't Collect

• Bank login credentials: Never. Not even temporarily.
• Full card numbers: We see transactions, not card details
• Biometric data: No fingerprints, face scans, or voice prints
• Location data: We don't track where you are
• Browsing history: We don't monitor your web activity

How Your Data Is Used

Your data is used for one purpose: providing you with the Accounted bookkeeping service. Specifically:

• Categorising your transactions
• Processing your receipts
• Calculating your tax position
• Preparing and submitting your MTD returns
• Answering your questions through Penny

What We Don't Do with Your Data

• We don't sell your data. Not to advertisers, not to data brokers, not to anyone. Full stop.
• We don't share it with third parties beyond what's necessary to provide the service (your bank connection via TrueLayer, WhatsApp messaging via Twilio, HMRC submissions via their API).
• We don't use it to train AI models for other purposes. Your financial data is used to improve Penny's categorisation for your account. It is not used to train models for other products or customers.
• We don't profile you for marketing. We won't use your spending patterns to target you with ads or offers from other companies.

GDPR Compliance

Accounted is a UK company, fully compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your Rights

Under GDPR, you have the right to:

• Access your data -- request a copy of all data we hold about you
• Rectify your data -- correct any inaccurate information
• Delete your data -- request that we delete your account and all associated data
• Export your data -- download your data in a portable format
• Restrict processing -- ask us to limit how we use your data
• Object to processing -- object to specific uses of your data
• Withdraw consent -- revoke any consent you've given at any time

To exercise any of these rights, contact our data protection team or ask Penny -- she can initiate data requests directly.

Data Retention

We retain your data for as long as you have an active Accounted account. If you close your account:

• Financial records are retained for six years (HMRC requires five years of records; we add a one-year buffer)
• Personal details are deleted within 30 days of account closure
• Receipt images are deleted within 30 days unless you're within the HMRC retention period
• Conversation history is deleted within 30 days

You can request immediate deletion at any time, though we'll note that this may affect your ability to meet HMRC record-keeping requirements.

Incident Response

Despite our best efforts, no system is immune to security incidents. We have a comprehensive incident response plan:

• Monitoring -- automated systems watch for unusual activity around the clock
• Detection -- anomalies trigger immediate alerts to our security team
• Response -- a documented procedure ensures swift, effective response to any incident
• Notification -- in the event of a data breach, we'll notify affected users within 72 hours as required by GDPR, and notify the ICO
• Remediation -- root cause analysis and preventive measures after any incident

We have never experienced a data breach. We work continuously to keep it that way.

Third-Party Security Certifications

Our key partners maintain industry-standard security certifications:

| Partner | Purpose | Certifications | |---------|---------|---------------| | TrueLayer | Open Banking | FCA authorised, SOC 2 Type II, ISO 27001 | | Twilio | WhatsApp API | SOC 2 Type II, ISO 27001, GDPR compliant | | Stripe | Payment processing | PCI DSS Level 1 |

Accounted is registered with the Information Commissioner's Office (ICO) as a data controller.

Questions About Security?

If you have specific questions about how we protect your data, or if you'd like more technical detail about any aspect of our security architecture, contact us at hello@accounted.co.uk.

For a detailed look at how Accounted handles your data day-to-day, read about our WhatsApp bookkeeping workflow or the AI technology behind Penny.

View our pricing, explore all features, or start your free trial with confidence that your data is protected.

Useful Resources

• HMRC's MTD for Income Tax requirements
• HMRC's list of MTD-compatible software