Skip to main content
Security

Financial data handled the way your CPA would want.

BetterWayIQ is read-only by design, encrypted in transit and at rest, and isolated at the database level so your data can’t leak across tenants even if we wrote a bug.

Practices

Six commitments baked into the product.

Read-only QuickBooks access

We request exactly one OAuth scope — com.intuit.quickbooks.accounting — which grants read access to your chart of accounts, GL, budget, vendors, and payroll. We have no ability to write back to your QuickBooks, even accidentally.

OAuth 2.0, never your password

Connection happens through Intuit's hosted authorization flow. You enter your QuickBooks password on Intuit's domain; we never see it. You can revoke access at any time from BetterWayIQ or from Intuit's Connected apps page.

Encryption at rest

OAuth refresh tokens are encrypted with AES-256-GCM before they touch the database. The encryption key lives in our secret store, rotated regularly, and is never committed to source control.

Row-level tenant isolation

Every table in our database enforces row-level security — a query for your organization's data literally cannot return another organization's rows, even if application code had a bug. Audited every time we add a table.

Transport security

TLS 1.2+ for every connection — browser → web app → database, and web app → QuickBooks API. HSTS headers + Secure cookies. No plain-HTTP fallback.

Audit logging

Security events (sign-in, OAuth connect/disconnect, role changes) are logged in an append-only audit_log table at the database level — your CPA can reconstruct who did what and when. Per-mapping change history (who recategorized which account) is on the post-launch roadmap.

Security posture at a glance

TopicDetail
HostingSupabase (Postgres + Auth), Vercel (Next.js), Railway (Python workers)
Data residencyUS East (default region for all three providers)
Token encryptionAES-256-GCM, key in environment-isolated secret store
Database accessRLS on every tenant-scoped table; service-role key scoped to ingestion workers only
QBO scope requestedcom.intuit.quickbooks.accounting (read-only)
Compliance roadmapSOC 2 Type I: on our post-launch compliance roadmap. HIPAA: not on roadmap (no PHI in scope).

Have a security questionnaire?

Many larger organizations run vendors through a standard security questionnaire. Send yours and we'll respond within five business days — most answers live in this page, but we'll fill out the form verbatim for you.