Security
How we protect your financial data.
CipherCFO handles confidential financial information. This page explains exactly how your data is protected — no marketing language, no vague claims.
Last reviewed: June 18, 2026
How we connect to your books
We never ask for your accounting system password. Instead, we use the official OAuth 2.0 flow provided by each platform. Here is what that means in practice:
Read-only access, always
OAuth tokens are scoped to read permissions only. We can pull your financials, but we cannot post journal entries, modify transactions, or change any setting in your accounting system.
You keep control
You can revoke our access at any time directly from your QuickBooks, Xero, NetSuite, or Sage account — no need to contact us first. Revocation takes effect immediately.
Official OAuth flows only
We integrate through the official developer programs of each provider. No screen-scraping, no credential harvesting, no third-party aggregators.
Tokens are stored encrypted
OAuth tokens are stored in an encrypted secrets vault, not in plain-text database columns. The application decrypts a token only when an active ingest is running for that client.
How your data is stored
Encryption at rest
All financial data is encrypted at rest using AES-256. This is enforced at the storage layer (Supabase on AWS us-east-1 with encryption enabled).
Encryption in transit
All data moving between your browser, our application, and third-party services is encrypted using TLS 1.2 or higher. HTTP connections are redirected to HTTPS.
No credential storage
We do not store your accounting system password. We store only OAuth tokens, and those are encrypted in a dedicated secrets vault — separate from the financial data store.
Access controls
Client data is isolated at the row level. Application staff access is logged and limited to what is needed to support your engagement. We do not have a customer support team browsing client financials.
Subprocessors
These are the third-party services that may process client data as part of delivering CipherCFO. We review this list when vendors change. Last updated: June 18, 2026.
| Name | Purpose | Data processed | Location |
|---|---|---|---|
| Railway | Application hosting and infrastructure | All application data in transit; application logs | United States |
| Vercel | Edge CDN and preview deployments | HTTP request metadata; no client financial data | United States / Global CDN |
| Supabase | Database and file storage | Client financial data (encrypted at rest), lead records, OAuth tokens (encrypted) | United States (AWS us-east-1) |
| Resend | Transactional email delivery | Name, email address, notification content (no financial figures) | United States |
| Stripe | Payment processing and billing | Billing contact, payment method (card data handled by Stripe — never touches our servers) | United States |
| Anthropic | AI analysis pipeline — powers the CFO deliverable generation | Standardized financial data (P&L, balance sheet, cash flow statements) — see AI section below | United States |
Accounting system providers (QuickBooks, Xero, NetSuite, Sage) are data sources, not subprocessors — we pull data from them; we do not send your data to them.
AI and automation tools
Yes, we use AI tools to generate your CFO deliverables. Specifically:
Anthropic Claude (analysis pipeline)
Anthropic's Claude API processes your standardized financial data (income statement, balance sheet, and cash flow statement) to generate the deliverables — flash report, variance analysis, 13-week cash forecast, covenant monitoring, and executive summary. This is the AI analyst described in our engagement materials.
- ✓Data is sent via Anthropic's API over an encrypted TLS connection.
- ✓Anthropic's API does not use submitted prompts or completions to train models by default. Enterprise API customers are covered by Anthropic's data processing agreement (DPA).
- ✓We do not send personally identifiable information to the API beyond what is necessary to contextualize the financial analysis (company name, period).
Automation within the application (data ingestion, report formatting, scheduling) runs on our own infrastructure and does not involve third-party AI beyond Anthropic.
Data retention and deletion
During engagement
Financial data, reports, and OAuth tokens are retained for the duration of the active engagement to allow month-over-month comparison and historical reporting.
After engagement ends
Financial data is retained for 90 days after the engagement end date to allow for final report delivery and any transition needs. After that period, data is deleted from active systems. Backups are purged on a rolling 30-day cycle.
Requesting deletion
You may request deletion of your data at any time by emailing advisory@ciphercfo.com with the subject line "Data deletion request." We will confirm receipt within 2 business days and complete deletion within 30 days, except where retention is required by law.
Incident response
If we detect or are notified of unauthorized access to client data, we will:
- 1Contain the incident and revoke any compromised tokens or credentials immediately.
- 2Assess the scope: which clients were affected, what data was accessible, and for how long.
- 3Notify affected clients directly by email within 72 hours of determining the scope — sooner if possible.
- 4Provide a written summary of what happened, what was exposed, and what steps we took to remediate.
- 5Revoke and reissue OAuth connections for affected clients where necessary.
To report a suspected security issue, email advisory@ciphercfo.com. We take all reports seriously and will acknowledge receipt within 24 hours.
SOC 2 and compliance
Honest statement: CipherCFO is a founder-led practice. We are not SOC 2 certified. The controls described on this page represent our current security posture as of June 18, 2026. SOC 2 Type II is on our roadmap as we scale to serve clients with formal compliance requirements.
If your organization requires a SOC 2 report, signed DPA, or custom security questionnaire before engaging, contact us at advisory@ciphercfo.com and we will work with you directly.
Questions about security?
Email us at advisory@ciphercfo.com. We respond to security questions within one business day.
Ready to connect your books?
Read-only access, encrypted storage, revocable anytime — and a named CFO who's accountable for the analysis.