Skip to content

Security

Your first question, answered without badges.

Data security, for a practice handling other firms' client books, is the set of habits that keep confidential information inside the systems it belongs in and away from everywhere else. It is a working discipline, not a wall of logos.

Every buyer asks about it first, and rightly so. Here is how we actually handle your data, and what we deliberately choose not to do.

How we handle data

The practices, plainly.

The access model

An invited guest, not a new home for your data.

Your systems

The single source of truth

QuickBooks Online, Xero, Caseware, or your portal. Your file never leaves the systems you already own.

Named Sahana staff

The same people each period

Access granted per person and per system, and revoked the same day someone rotates off your work.

No local copies on a laptop. No bulk export to our servers. No shadow database of your books running on our own infrastructure.

A black-and-white row of fluted stone columns receding into shadow along a colonnade.
Confidentiality that survives the engagement, held by contract and by habit.

Subprocessors

Who else touches the work.

The systems your work runs through are the ones you already chose: your QuickBooks Online or Xero file, your Caseware installation, your document portal. We operate inside them as an invited user rather than routing your data through a stack of our own vendors.

Where a tool of ours is genuinely required for an engagement, we tell you what it is and why before it is used. We would rather ask than surprise you at a security review. If your firm keeps a subprocessor list, we will complete it honestly.

Deliberately not

What we don't do.

An honest security page is as much about the lines we hold as the controls we run.

  • We don't claim badges we don't hold

    We do not hold SOC 2 or ISO 27001 certification, and we do not imply that we do. If that is a hard requirement for your firm, we will tell you plainly rather than dress up practices as certificates. What we describe here is what we actually do.

  • We don't move data out of your systems

    No bulk exports to our own servers, no data lake, no analytics pipeline running over your clients' books in the background. Your data stays where you keep it.

  • We don't sign what isn't ours to sign

    We prepare; your firm reviews and signs. We do not release work to your clients or file anything on your behalf. The authority, and the accountability, stay with you.

Have a security review to run?

Send us your questionnaire. We will answer it as it stands, mark what we do not do, and not pretend otherwise.