Security

How we protect your data

Our Commitment to Security

At Kwata Books, we understand that your receipts and financial records contain sensitive business information. Kwata Books is built to the SOC 2 Trust Services Criteria and our internal Kwata Security Standard, and is aligned with PIPEDA and Alberta PIPA. A formal third-party SOC 2 attestation and ISO 27001 certification are on our roadmap.

Frameworks we align with

We use precise language about where we stand. SOC 2 is an independent attestation and ISO 27001 a certification — we will say we hold them only once we do. Today, Kwata Books is engineered to meet those criteria and we operate a documented internal standard.

  • SOC 2 Trust Services Criteria — built to (aligned)
  • PIPEDA & Alberta PIPA — aligned
  • CASL — consent and unsubscribe in every email
  • OWASP Top 10 — secure-coding practices
  • SOC 2 Type II attestation & ISO/IEC 27001 — on our roadmap

Where your data lives, and how AI is handled

All of your application data — database and receipt files — is hosted on secure servers outside US jurisdiction. Our infrastructure is not subject to the US CLOUD Act, FISA, or the USA PATRIOT Act. Core encryption: AES-256-GCM — your uploaded receipt and invoice documents are encrypted at rest under a key unique to your business, and sensitive fields (OAuth tokens, SINs) are encrypted too; TLS 1.3 protects all data in transit. Data is isolated per account — no cross-tenant access — with rate limiting and audit logging on critical operations.

AI features (receipt OCR/categorization and the Lex tax assistant) send only the content needed to fulfil a request to Anthropic's Claude API, under terms that prohibit training on your data. Your Books subscription is billed through our PCI-DSS-compliant payment processor, DodoPayments — card data never touches our servers. Files are stored in our own object storage. We do not sell your data. Full subprocessor and retention detail is in our Privacy Policy.

Data Encryption

All data transmitted between your device and our servers is encrypted with TLS 1.3. Your uploaded receipt and invoice documents are encrypted at rest under a key unique to your business — stored files hold ciphertext only. The figures we extract to build your books (amounts, dates, categories) are kept in your isolated, access-controlled database to power your reports.

Authentication and Access Control

We use secure third-party authentication to verify user identities. This approach:

  • Eliminates the need to store passwords on our systems
  • Leverages established security infrastructure
  • Provides additional security features like two-factor authentication (when enabled by the user with their provider)

Access to your data is restricted to your authenticated account only. Our systems enforce strict access controls to ensure data isolation between users.

Infrastructure Security

Our infrastructure is hosted with reputable cloud service providers that maintain:

  • Physical security controls at data centers
  • Network security and monitoring
  • Regular security audits and certifications
  • Redundant systems for data availability

Secure Development Practices

Our development team follows security best practices including:

  • Regular code reviews with security focus
  • Dependency monitoring for known vulnerabilities
  • Input validation and sanitization
  • Protection against common web vulnerabilities

Data Backup and Recovery

We maintain regular backups of your data to protect against data loss. Our backup procedures include:

  • Regular automated backups
  • Encrypted backup storage
  • Tested recovery procedures
  • Geographic redundancy

Incident Response

In the unlikely event of a security incident, we have procedures in place to:

  • Quickly identify and contain the incident
  • Assess the impact and affected data
  • Notify affected users as required by law
  • Implement measures to prevent recurrence

Your Role in Security

Security is a shared responsibility. We recommend that you:

  • Use a strong, unique password with your authentication provider
  • Enable two-factor authentication where available
  • Keep your devices and browsers up to date
  • Log out of shared or public computers
  • Report any suspicious activity to us immediately

Data Retention and Deletion

You maintain control over your data. You can:

  • Export your data at any time
  • Delete individual invoices or your entire account
  • Request complete data removal by contacting us

When you delete data, it is removed from our active systems. Backup copies are removed according to our retention schedule.

Compliance

Kwata Books is designed to meet the requirements of Canadian privacy law — PIPEDA and Alberta PIPA. We are built to the SOC 2 Trust Services Criteria; a formal third-party SOC 2 Type II attestation and ISO/IEC 27001 certification are on our roadmap — we will state we hold them only once an accredited body confirms it. We continuously review and update our practices as regulations evolve.

Limitations

While we implement strong security measures, no system can guarantee absolute security. We cannot be held liable for:

  • Security breaches caused by your own actions or negligence
  • Vulnerabilities in third-party services you use
  • Circumstances beyond our reasonable control

Please refer to our Terms of Service for complete liability information.

Security Updates

We continuously monitor and improve our security posture. This page will be updated as we implement new security measures. We may also communicate significant security updates through email.

Report a Security Issue

If you discover a security vulnerability or have concerns about the security of our service, please contact us immediately at:

Security Team
Email: security@kwatateam.com

We appreciate responsible disclosure and will work with you to address any legitimate security concerns.

Questions

For general security questions, please contact us at:

Kwata Team
Email: support@kwatateam.com
Website: kwatateam.com