Trust

Security & Data Handling.

Last updated July 13, 2026

You’re trusting Ledgza with your clients’ books. Here is exactly how that trust is protected: the controls, the boundaries, and the guarantees, in plain language.

The five guarantees

Connections

QuickBooks Online & Xero

Official partner APIs over OAuth 2.0. You authorize on Intuit’s or Xero’s own login page, and Ledgza never handles your ledger password. No screen-scraping, no robotic logins, no browser automation against your ledger. Revoke access anytime from either side and our access ends immediately.

Bank data

Primary rail: the bank feed your client already connected inside the ledger, read through the same official API. Fallback: Plaid, where credential exchange happens between your client and Plaid directly. Ledgza receives only a scoped, revocable, read-only access token.

Encryption & infrastructure

Data isolation

Every query in the application is scoped to your firm. Cross-firm access attempts return nothing. Not an error revealing existence. Nothing. Learned patterns, rules, and corrections belong to the firm that created them. AI model inference used in drafting runs under agreements that prohibit the provider from training on your data.

The audit trail

Append-only by design: rows cannot be edited or deleted from the application. Each records the entry, the action (approved / edited / rejected), the actor, the before-and-after state, the confidence score at action time, and the timestamp. This is your defensible record of what the software did and what you authorized.

Availability & recovery

Data retention & deletion

Delete your account and connected data is removed within 30 days; encrypted backups age out within 90. Full details in the Privacy Policy.

Incident response

If an incident affects your data, we will notify affected firms without undue delay, with what happened, what data was involved, and what we’re doing. We never bury it.

Responsible disclosure

Found a vulnerability? Email security@ledgza.com. We commit to acknowledging reports within 2 business days, and we will not pursue action against good-faith research that avoids privacy violations and service disruption.

Roadmap honesty

Ledgza is in its pilot phase. SOC 2 certification is planned post-revenue; until then, this page describes real controls, not aspirations. We’d rather tell you what’s true today than badge-wash. Questions we haven’t answered here: support@ledgza.com.