Security
BetterWayIQ is read-only by design, encrypted in transit and at rest, and isolated at the database level so your data can’t leak across tenants even if we wrote a bug.
We request exactly one OAuth scope — com.intuit.quickbooks.accounting — which grants read access to your chart of accounts, GL, budget, vendors, and payroll. We have no ability to write back to your QuickBooks, even accidentally.
Connection happens through Intuit's hosted authorization flow. You enter your QuickBooks password on Intuit's domain; we never see it. You can revoke access at any time from BetterWayIQ or from Intuit's Connected apps page.
OAuth refresh tokens are encrypted with AES-256-GCM before they touch the database. The encryption key lives in our secret store, rotated regularly, and is never committed to source control.
Every table in our database enforces row-level security — a query for your organization's data literally cannot return another organization's rows, even if application code had a bug. Audited every time we add a table.
TLS 1.2+ for every connection — browser → web app → database, and web app → QuickBooks API. HSTS headers + Secure cookies. No plain-HTTP fallback.
Every change to your canonical account mapping is logged — who changed it, when, and what the previous category was. The log is append-only at the database level. Your CPA and your board can reconstruct any decision.
If you believe you’ve found a security issue, please email security@betterwayiq.com. We’ll acknowledge within one business day and keep you updated through remediation. No bug bounty yet, but we treat responsible disclosure seriously and will credit you (with permission) in release notes.
Many larger organizations run vendors through a standard security questionnaire. Send yours and we’ll respond within five business days — most answers live in this page, but we’ll fill out the form verbatim for you.
Contact us