Security

Books that defend themselves in an audit.

Numbers Game is built for an industry where the audit trail is the product. Every action is logged, every write is reversible, and every access is scoped.

Compliance posture

The certifications we’re measured by.

  • SOC 2 Type II — audit in progress, report expected Q3 2026.
  • AICPA-aligned controls for financial data handling.
  • QuickBooks Online certified integration partner.
  • Annual penetration testing by an independent third party.
How your data flows

QBO stays the system of record. Always.

  1. № 01You authorize Numbers Game to access a QuickBooks Online company via Intuit’s OAuth flow.
  2. № 02Numbers Game reads from QBO over Intuit’s official API — only the scopes you approved.
  3. № 03When you approve a write action (a categorization, a journal entry, a report), Numbers Game posts back to QBO through the same API.
  4. № 04Source documents (PDFs, statements) are stored in encrypted object storage and attached as references in QBO.
  5. № 05Numbers Game never holds the only copy of your books. QBO is always the system of record.
Encryption

In transit, at rest, and at the keys.

01

In transit

TLS 1.3 for all connections — QBO, Slack, Claude, the web app, the API.

02

At rest

AES-256 for all stored data, including source documents and audit logs.

03

Secrets

OAuth tokens encrypted with envelope encryption; key rotation every 90 days.

Access control

Scoped to the connection, the role, and the action.

  • OAuth scoping. Numbers Game requests only the QBO scopes needed for the connection.
  • Role-based access within the firm — partners, staff, view-only.
  • Per-connection access. Staff can be assigned to specific client books.
  • SSO on Scale and Enterprise — Okta, Google Workspace, Microsoft Entra.
  • MFA required for all admin actions.
Audit & reversibility

Nothing is silent. Nothing is final.

  • Every categorization, reconciliation, and journal entry is logged with: timestamp, actor, rule, confidence score, source transaction ID, and approval state.
  • Period lock prevents writes to closed periods until a partner reopens them.
  • One-click revert on any action — within an open period.
  • Audit log is exportable as CSV at any time and retained for the life of the account.
AI safety

The model never writes alone.

  • Numbers Game never writes to your books without explicit approval.
  • Every proposed action shows the rule that produced it and the data that informed it.
  • Client data is not used to train any model.
  • Prompts and responses are logged for audit, retained per your plan’s policy, and never shared across firms.
Incident response

Monitored, documented, and notified.

  • 24/7 security monitoring across all infrastructure.
  • Documented incident response runbook.
  • Customer notification within 72 hours of any confirmed incident affecting your data.
Data residency & retention

Where it lives, and for how long.

  • US tenancy by default.
  • EU and hybrid residency available on Enterprise.
  • Data deletion within 30 days of account closure (subject to legal/tax retention requirements).
  • Export your full audit log and source documents at any time.
Security questionnaires

RFPs, vendor reviews, SOC 2 status letters.

We respond to vendor security questionnaires (CAIQ, SIG Lite, custom firm templates) within five business days. Email [email protected] for our latest security package — SOC 2 status letter, pen test summary, architecture diagram, and DPA.

Get the security package.

SOC 2 status letter, pen test summary, architecture diagram, and DPA — usually within five business days.

Request the security packageRead the privacy policy