Trust
Security & Data Handling.
You’re trusting Ledgza with your clients’ books. Here is exactly how that trust is protected: the controls, the boundaries, and the guarantees, in plain language.
The five guarantees
- Nothing posts below 95% confidence without your explicit approval. The gate is hard-coded. There is no setting, plan, or support request that lowers it.
- We never see or store banking credentials. Bank data arrives read-only, through the feed already inside your QuickBooks/Xero or through Plaid’s token exchange.
- We never move money. There is no payment-initiation capability anywhere in the product.
- Your data never trains cross-firm models unless you opt in. Learning from your corrections is scoped to your firm by default.
- Every posted entry has an immutable audit record. Who acted, what changed, and the confidence score at the moment of action.
Connections
QuickBooks Online & Xero
Official partner APIs over OAuth 2.0. You authorize on Intuit’s or Xero’s own login page, and Ledgza never handles your ledger password. No screen-scraping, no robotic logins, no browser automation against your ledger. Revoke access anytime from either side and our access ends immediately.
Bank data
Primary rail: the bank feed your client already connected inside the ledger, read through the same official API. Fallback: Plaid, where credential exchange happens between your client and Plaid directly. Ledgza receives only a scoped, revocable, read-only access token.
Encryption & infrastructure
- In transit: TLS 1.2+ on every connection
- At rest: AES-256 for all stored data
- OAuth tokens: encrypted per firm with keys managed separately from application data
- Hosting: SOC 2-certified cloud infrastructure (Vercel and our database provider), US regions
- Passwords: salted and hashed (never stored in readable form); MFA available on request during pilot, standard at GA
Data isolation
Every query in the application is scoped to your firm. Cross-firm access attempts return nothing. Not an error revealing existence. Nothing. Learned patterns, rules, and corrections belong to the firm that created them. AI model inference used in drafting runs under agreements that prohibit the provider from training on your data.
The audit trail
Append-only by design: rows cannot be edited or deleted from the application. Each records the entry, the action (approved / edited / rejected), the actor, the before-and-after state, the confidence score at action time, and the timestamp. This is your defensible record of what the software did and what you authorized.
Availability & recovery
- Continuous encrypted backups with point-in-time recovery
- Connection-health monitoring: a broken bank or ledger connection is surfaced loudly in the app. The queue never silently shows “no work” when the truth is “no data”
- Drafts are invalidated and re-queued if the underlying ledger changes. The ledger is always the source of truth; Ledgza keeps no shadow ledger
Data retention & deletion
Delete your account and connected data is removed within 30 days; encrypted backups age out within 90. Full details in the Privacy Policy.
Incident response
If an incident affects your data, we will notify affected firms without undue delay, with what happened, what data was involved, and what we’re doing. We never bury it.
Responsible disclosure
Found a vulnerability? Email security@ledgza.com. We commit to acknowledging reports within 2 business days, and we will not pursue action against good-faith research that avoids privacy violations and service disruption.
Roadmap honesty
Ledgza is in its pilot phase. SOC 2 certification is planned post-revenue; until then, this page describes real controls, not aspirations. We’d rather tell you what’s true today than badge-wash. Questions we haven’t answered here: support@ledgza.com.