Security & Trust Centre

Enterprise Trust & Procurement

AccountScope is engineered to meet the strict security, compliance, and confidentiality requirements of UK law firms, Big 4 advisors, forensic accounting practices, and financial regulatory bodies.

1. Security & Encryption

AccountScope enforces the highest encryption standards to secure financial evidence registers. Access controls implement the principle of least privilege, preventing unauthorized transaction data visibility.

TLS 1.3 Encryption

All data in transit between users and our application is encrypted using Transport Layer Security (TLS 1.3) protocols. HTTPS is strictly enforced.

AES-256 at Rest

All transactional details, files, metadata, and database records are encrypted at rest using AES-256 encryption. Encryption keys are rotated automatically.

Tenant Isolation

Logical separation of data ensures that tenant groups can never view or modify transaction logs belonging to separate clients.

Audit Log Chains

Every administrative override, category revision, and transaction exclusion is permanently recorded in structured audit log databases.

2. Data Protection & UK GDPR

AccountScope acts as a Data Processor, operating strictly under the documented instructions of our customers (Data Controllers). We adhere to UK GDPR principles and security regulations.

UK GDPR Compliance

AccountScope meets all UK GDPR criteria, implementing comprehensive Data Protection Impact Assessments (DPIAs) and maintaining records of processing activities.

Pre-Signed DPA Template

An executed, pre-signed UK GDPR-compliant Data Processing Addendum (DPA) is available for immediate download here, allowing legal departments to fast-track compliance reviews.

3. Compliance & Audits

We align our internal security controls with global standards to ensure external credibility.

REGISTRATION

ICO Registration: Active

AccountScope is registered with the UK Information Commissioner's Office (ICO) under registration reference ZA827103. We process all personal information in accordance with UK GDPR guidelines.

CERTIFICATIONS

SOC 2 & ISO 27001 Roadmap

We are currently preparing for our SOC 2 Type I audit and Cyber Essentials Plus certifications, with targets scheduled throughout 2026.

4. Infrastructure & Resilience

Our platform operates on a robust, UK-hosted cloud infrastructure designed to survive server failures, network loss, or database outages.

UK London Residency

All relational data and document vaults reside strictly within AWS London Region (eu-west-2). No statement data is transferred outside the UK.

Disaster Recovery (RTO & RPO)

We replicate databases continuously across Availability Zones. Our target Recovery Point Objective (RPO) is under 24 hours, and our target Recovery Time Objective (RTO) is under 4 hours.

5. Data Retention & Purging Policies

To prevent long-term exposure of sensitive financial documents, AccountScope enforces customizable data retention policies designed around UK GDPR/DPA guidelines.

Original Statement PDFs

The raw statement files uploaded by users. Configurable for Professional/Enterprise tiers.

30, 90, 180 Days or Lifetime

Extracted Transaction Ledgers

Structured transaction database tables preserved for report consistency and audit integrity

Subscription Duration

Exported Report Archives

Generated PDF summaries and Excel schedules

365 Days

6. Subprocessors

We only engage subprocessors that maintain rigorous compliance standards.

Entity	Purpose	Location
Supabase, Inc.	Database, Authentication & Secure Object Storage (AWS London Region)	United Kingdom
Amazon Web Services (AWS)	Underlying Cloud Infrastructure & Backups (London Region)	United Kingdom
Vercel, Inc.	Application Hosting & Edge Functions (Static/Dynamic Router)	UK & Europe
OpenAI, Inc. (Optional)	Only engaged if the firm explicitly chooses the "AccountScope Managed AI" or "Bring Your Own OpenAI API Key" routes. Uses strip-minimised transaction descriptions only with active Zero-Data-Retention (ZDR) endpoints. Completely bypassed if private routes (Azure OpenAI, AWS Bedrock, Copilot Studio, Local Gateway, or Rules-Only) are active.	Europe / US
Resend, Inc.	Transactional Email Services (Welcome, status, and reset emails)	Europe / US
PostHog, Inc.	Anonymized performance & usage metrics. Financial data, transaction details, and case names are completely excluded from tracking.	Europe
Stripe Payments Europe, Ltd.	Billing Portal & Payment Processing (PCI-DSS Level 1)	UK & Europe

7. Procurement FAQ

Are our statements used to train public AI models?

No. AccountScope is engineered with strict AI Provider Neutrality. Your firm has full control over where transaction data is processed. You can route queries through your own Microsoft Azure OpenAI subscription, AWS Bedrock instance, Copilot Studio custom agent flow, a private local/on-premise gateway, or run completely offline with our local Rules-Only mode (zero HTTP requests). If using AccountScope Managed AI, we enforce strict data redaction (removing names, account numbers, sort codes, postcodes) and route queries through OpenAI Zero-Data-Retention (ZDR) endpoints, ensuring data is never logged or used for model training.

Where does data residency reside?

All relational database fields, file storage caches, and analytical results reside strictly within the AWS London Region (eu-west-2) in the United Kingdom. We do not export statement files across borders.

Can we export and purge data permanently?

Yes. Account administrators can delete cases directly, which triggers immediate, permanent, secure database overwriting and storage purging. Deleted records are unrecoverable.

8. Security & Compliance Roadmaps

Review our verification schedule, certifications timeline, and upcoming B2B enterprise security protocols.

Compliance Roadmap

Q1 2026: UK GDPR compliance audit completed ✓

Q2 2026: SOC 2 Type I audit initiation (planned)

Q3 2026: ISO 27001 certification preparation

Q4 2026: Cyber Essentials Plus certification

Enterprise Security Roadmap

SAML 2.0 Single Sign-On (SSO): Enforce corporate credentials.
Enterprise Roadmap / Pilot Option

Azure AD / Microsoft Entra ID: Seamless office tenant matching.
Enterprise Roadmap / Pilot Option

Okta Authentication Gateway: Centralized auth policies.
Enterprise Roadmap / Pilot Option

SCIM User Provisioning: Automated seat sync.
Enterprise Roadmap / Pilot Option

Need support with security review?

Our security desk assists procurement and compliance teams with detailed Vendor Risk Assessments, security questionnaires (SIG/HECVAT), and bespoke data processing addendums.

security@accountscope.app

SLA Response: Under 4h