Security & Data Protection
Trust and transparency are non-negotiable. Here's how we protect your data.
Human-in-the-loop control
Every action requires your explicit approval. ActuallyCount suggests, you decide. No automated changes to your books.
End-to-end encryption
All data in transit uses TLS 1.3. API tokens and credentials are encrypted at rest using industry-standard AES-256.
Immutable audit trail
Every suggestion, approval, edit, and posting is logged with timestamps, user identity, and content hashes. Full forensic trail.
Read-only by default
We only request read access to your Xero data. Write operations (posting journals) require separate, explicit authorization.
Data retention
Your financial data is processed in memory and discarded after workpaper generation. Only minimal metadata is retained for audit purposes.
Access controls
Role-based permissions ensure team members only see what they need. OAuth tokens are user-scoped and revocable at any time.
Sample Audit Log Entry
2025-10-15 14:23:41 | USER_APPROVAL | BAS_JOURNAL
Action: Approved and posted BAS journal #1847
Entity: Acme Consulting Pty Ltd (ABN 12345678901)
User: sarah@accountingfirm.com.au
Changes: 8 line items, $42,340.50 GST liability
Timestamp: 1729025021
Hash: 7f3a9b2c...Every action is logged with cryptographic integrity. Logs are tamper-proof and available for compliance review.
Compliance & Standards
Australian Privacy Principles: We comply with APP requirements for handling personal and financial information.
Data sovereignty: All Australian client data is processed and stored within Australia.
Third-party security: We use Xero's official OAuth 2.0 API with minimal scopes. No data is shared with other third parties.
Questions about security?
Contact us at security@actuallycount.com