Your client relationships are sensitive data. AccountGauge is architected from the ground up with encryption, isolation, and auditability so you can meet your compliance obligations with confidence.
Have a specific security question? security@getaccountgauge.com
Every byte of client data is protected with industry-standard encryption both in motion and at rest.
All connections are secured with TLS 1.3. API endpoints enforce HTTPS with HSTS headers and certificate pinning for mobile integrations.
Data stored in the database is encrypted with AES-256. Encryption keys are managed through a dedicated KMS with automatic key rotation on a 90-day cycle.
Automated backups are encrypted using the same AES-256 standard and stored in geographically separated locations to ensure durability.
Strict logical separation and fine-grained access controls ensure each firm's data is visible only to authorized users.
Every firm operates within its own isolated data boundary. Database queries are scoped to the authenticated tenant at the infrastructure layer, not just the application layer.
Users are assigned roles (Owner, Manager, Account Manager) with distinct permission sets. Permissions govern access to accounts, reports, settings, and team management.
Every user action (logins, pulse submissions, score views, setting changes) is logged with a timestamp, user ID, IP address, and action type. Logs are append-only and cannot be modified or deleted.
Our operational practices are designed around the principle of least privilege and defense in depth.
Internal team members access production infrastructure only through short-lived credentials with narrowly scoped permissions. There is no persistent access to customer data.
The database is backed up daily with point-in-time recovery enabled. Backup retention follows a 30-day rolling window with offsite replication.
Infrastructure and application metrics are continuously monitored. Anomaly detection triggers real-time alerts for unusual access patterns, error spikes, or latency changes.
AccountGauge is engineered to meet the requirements of common compliance frameworks. We operate with the rigor expected of a SOC 2-compliant organization.
Our controls, policies, and infrastructure are aligned with the AICPA Trust Services Criteria across security, availability, and confidentiality. We are actively working toward formal SOC 2 Type II certification.
Managed deployments run in the United States by default. Self-hosted customers can choose their own data residency region to comply with local regulations.
We process only the data necessary to deliver the service. Data retention policies are configurable per-tenant, and data deletion requests are honored within 30 days.
We maintain documented incident response procedures and welcome responsible disclosure from the security community.
Our incident response plan covers identification, containment, eradication, recovery, and post-incident review. Affected customers are notified within 72 hours of a confirmed data breach, or sooner where required by law.
If you discover a potential security issue, please report it to security@getaccountgauge.com. We commit to acknowledging reports within 2 business days and providing resolution timelines within 5.
For firms that deploy AccountGauge on their own infrastructure, we provide clear guidance to maintain the same security posture.
All sensitive configuration (database credentials, API keys, encryption keys) must be stored as environment variables or in a secrets manager. Never commit secrets to version control.
Use a managed database service with encryption at rest enabled. Restrict network access to the database to only your application servers. Enable connection encryption (SSL/TLS).
Configure automated daily backups with at least 14 days of retention. Test restores quarterly. Store backups in a separate region from your primary deployment.
We are happy to walk through our security architecture, share our policies, or answer specific questions from your compliance team.
We respond to security inquiries within 2 business days.