Security

Our team shares decades of experience working in globally recognised leaders in software. This informs our approach to security at Prosaic.

We know that accountants and bookkeepers trust us with sensitive financial information. Protecting that data is one of our highest priorities. While we’re a fast-growing company, our approach to security is grounded in industry standards and continuously improving.

Our engineering team is based in New Zealand, with collectively decades of experience working at global leaders in software such as Xero, Vend, and Slack. That background shapes how we approach building secure, reliable systems that accountants and bookkeepers can trust.

At A Glance

A quick summary of the controls we operate and how we keep your data safe.

Encryption in transit
TLS 1.2+
Encryption at rest
AES-256 (NIST-aligned)
Authentication
MFA required
Access controls
Role-based, least-privilege, instant revocation, periodic reviews
Hosting
All infrastructure hosted on AWS
Data isolation
Logical tenant separation
Secure development
OWASP Top 10, regular scanning & patching
Penetration testing
Independent testing conducted regularly
Audit logging
Comprehensive, secure, retained for investigations
Vendor standards
Evaluated against high security standards (e.g. ISO 27001)
Data deletion
Prompt deletion on request, per policy & obligations
Incident response
Policies & playbooks; transparent communication
Employee training
Security awareness & secure-coding training
Compliance alignment
Aligned with ISO 27001 & NIST CSF
AI & customer data
Customer data is not used to train external AI models

Our Approach

We align our practices with recognised frameworks for SaaS providers, including the Security Standard for Add-on Marketplaces (SSAM)  and the accreditation requirements of the Xero App Store and Akahu Open Finance.

We are also committed to respecting your privacy. You can read more in our Privacy Policy.

Key Practices

Encryption In Transit & At Rest

  • All data is encrypted in transit (TLS 1.2+) and at rest using NIST-approved mechanisms (AES-256).
  • OAuth tokens and keys are securely stored and managed in line with SSAM requirements.

Authentication & Access Control

  • Multi-factor authentication (MFA) is required for account access.
  • Role-based access controls enforce least privilege.
  • Periodic access reviews ensure only those who need access retain it.
  • Access can be revoked instantly when staff leave or clients are off boarded.

Hosting & Infrastructure

  • All infrastructure is hosted on Amazon Web Services (AWS), benefiting from AWS’s global, enterprise-grade physical and network security.
  • AWS data centres meet independent compliance standards such as ISO 27001, SOC 1/2/3, and PCI DSS.
  • Customer data is logically isolated to ensure tenant separation and integrity.

Security Training & Culture

  • All employees undergo regular security training covering phishing awareness, data handling, and secure coding practices.
  • Security is embedded into onboarding, ongoing development, and our company culture.

Secure Development & Vulnerability Management

  • We follow OWASP Top 10 guidelines for secure coding.
  • Regular vulnerability scans, timely patching, and independent penetration testing keep our systems secure.

Monitoring & Audit Logging

  • Continuous monitoring detects anomalies at the network, application, and transaction levels.
  • Audit logs are maintained securely for traceability and retained in line with best practice.

Third-Party Vendors

  • We do not explicitly require SOC 2, but we evaluate all vendors against high security standards, including data handling, encryption, and compliance credentials (such as ISO 27001).
  • Integrations are limited to partners that meet strong security and privacy standards.

Data Handling & Deletion

  • Data is never shared with third parties without explicit business need and customer consent.
  • On request, we can promptly delete customer data in line with our retention and compliance obligations.

Incident Response

  • We have policies and playbooks in place to quickly identify, contain, and remediate security issues.
  • Where required, incidents are communicated transparently to affected parties.

Compliance Alignment

  • Our security controls are designed in alignment with ISO 27001 and the NIST Cybersecurity Framework, ensuring our practices follow globally recognised best standards.

Responsible AI

We leverage artificial intelligence to improve automation and efficiency in our product, but we follow best-practice recommendations for responsible AI use:

  • No external training: We do not use customer data to train or fine-tune external AI models.
  • Controlled use: Any AI use is focused on workflow automation (e.g. transaction coding), with strict boundaries to protect privacy.
  • Transparency: We are open about where AI is applied in our platform.
  • Human in the loop: Accountants and bookkeepers always retain control over final decisions, ensuring AI remains an assistive tool.

Independent Accreditations

We have been externally accredited by the following vendors, which required independent audit of our security practices.

  • Xero App Store Partner – meeting the SSAM requirements across encryption, authentication, and vulnerability management (learn more)
  • Akahu Accredited App – demonstrating compliance with consumer data rights, consent-driven access, and security controls (learn more)

Ongoing Commitment

Security isn’t static. We continually review and enhance our policies, technologies, and practices to meet evolving threats and customer expectations.

If you’d like more information about our security posture, or need details for your due diligence process, please contact us.

© All rights reserved by Prosaic Ltd