Security at Ledger
Built for accounting firms that need to trust their tools.
Last updated: 2026-05-20
Template pending legal review
This page is an engineering-prepared snapshot of our current security posture, published for transparency. It has not yet been reviewed by external legal counsel and is not a representation or warranty. The authoritative statement of our obligations is in the Terms of Service and the contract executed with your organisation.
Infrastructure Security
- All customer data stored in the European Union (Cloudflare WEUR region) — GDPR Article 44 compliant
- All data is encrypted at rest using Cloudflare's platform-level encryption. Sensitive fields including OAuth tokens and failed-email PII are additionally encrypted with AES-256-GCM at the application layer.
- TLS 1.2+ in transit (with TLS 1.3 preferred where supported by client). HSTS enforced.
- DDoS protection and WAF via Cloudflare's global edge network
- Daily automated backups of the control plane database; tenant data is persisted to durable storage with multi-region replication for read availability. Recovery objectives: RPO ≤ 24 hours, RTO ≤ 4 hours. Quarterly disaster-recovery drills planned post first-customer.
Identity & Access
- Two-factor authentication (TOTP) available for all accounts.
- Passwords require a minimum of 12 characters (NIST 800-63B).
- Account lockout after repeated failed login attempts.
- Role-based access control — firm-level and entity-level permissions.
- Every entity-scoped API request passes through three independent authorization layers: requireLedgerAuth (session validity), resolveFirm (firm membership), resolveEntity (entity access for the firm).
- Session revocation on password change and on suspicious activity.
- Secure session management: httpOnly, Secure, SameSite=Lax cookies.
Application Security
- All state-changing requests validate the Origin header against an allowed-domains list (CSRF protection).
- SHA-256 hash-chained audit log — every change is cryptographically linked to the one before it. Tampering with any historical record breaks the chain and is automatically detected by our daily verification cron.
- Daily automated chain verification runs across all accounts — any integrity failure triggers an immediate alert.
- Tenant isolation at the database level (each firm's data lives in its own Durable Object).
- Strict access controls and least-privilege for Jumpstone staff.
HTTP Security Headers
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=()
Compliance
- Working toward SOC 2 Type II compliance. The observation window opens after our first paying customer goes live. SOC 2 controls are implemented today; attestation follows.
- GDPR compliant — EU data residency eliminates cross-border transfer risk under Chapter V.
- Financial records are retained for the duration required by applicable accounting standards (typically 7 years in Sri Lanka and Canada; varies by jurisdiction).
- Ledger does not process or store cardholder data (PAN). All payment processing is handled by Stripe; we receive only Stripe-issued reference identifiers.
- Audit trail integrity verified daily as part of our continuous monitoring controls.
- Sub-processor list and data-flow disclosures are published in our Privacy Policy.
Responsible Disclosure
- Found a security issue? Email security@ledgerpro.ai.
- We aim to acknowledge security reports within 2 business days and to provide initial triage within 5 business days.
- Resolution timelines vary by severity; critical issues receive priority engineering attention.
- We do not pursue legal action against good-faith security researchers.
For a full list of sub-processors that handle customer data — including purpose, data location, and contractual safeguards — see the sub-processor table in our Privacy Policy .
Questions about our security practices? Email us at security@ledgerpro.ai