Offer

50% off your first bill on Starter & Growth

First bill only · standard pricing afterward

Security & trust

How NewLedger protects accounting data

A clear view of the controls in place today — encryption, access management, audit history, and residency options — plus what is still on the roadmap, including SOC 2 Type II and ISO 27001.

Honest compliance statusTrust materials on request
Planned
SOC 2 Type II
On the roadmap — not yet certified
Planned
ISO 27001
On the roadmap — not yet certified
Designed for
GDPR
Designed for EU residency and DPA workflows
Designed for
CCPA
Designed for California privacy requirements
TLS 1.3
encryption in transit
AES-256
encryption at rest
RBAC
role-based access controls
Audit trail
activity history in-product
Buyer checklist

What finance should validate before switching accounting systems

The trust review should reduce migration risk, not just satisfy procurement. These are the checks that usually decide whether a move feels safe.

  • Confirm your approval, reviewer, and external accountant roles map cleanly into NewLedger permissions before go-live.
  • Validate that audit history on journals, invoices, payments, and reconciliations is clear enough for monthly review and year-end support.
  • Decide whether your buyer needs residency, DPA, or trust materials before procurement starts instead of late in the cycle.
  • Plan who owns migration validation so security and finance both know what must be checked before cutover.
If those answers are still unclear, the right next step is usually a trust and migration review, not a rushed self-serve trial.
Core controls

What protects your books

The baseline controls finance and security reviewers usually ask about first.

Encryption in transit and at rest

Customer data is encrypted in transit with TLS 1.3 and encrypted at rest with AES-256. Backups are encrypted before leaving the hosting region.

Least-privilege access

Role-based access control limits who can view, create, approve, or post accounting activity. SSO/SAML support is available for teams that need centralized identity.

Audit-friendly activity history

Accounting changes are recorded with actor, timestamp, and before/after context so finance teams and reviewers can trace what changed without exporting spreadsheets.

Region-pinned data

Teams can choose where data is stored and processed. Singapore is the default, with EU and US region options for customers with residency requirements.

Backups and recovery

Encrypted backups and restore procedures are part of the operating model. We test recovery workflows as part of ongoing operations.

Monitoring and incident response

Infrastructure and application signals are monitored for abnormal auth, change, and availability patterns. Incidents are handled through a documented response process.

Operating discipline

The posture behind the roadmap

We would rather show current engineering, people, and process controls than imply certifications we have not completed yet.

Engineering

Secure development practices

  • Code review on production changes
  • Dependency and static analysis checks in CI
  • Restricted production access with audited elevation
  • Secrets managed outside application code
People

Access discipline

  • Background checks for roles with production access
  • Security and privacy training for relevant team members
  • Periodic access reviews for privileged accounts
  • No standing production access by default
Process

Controls and vendor review

  • Controls aligned to SOC 2 principles; formal Type II audit is on the roadmap
  • External penetration testing planned as rollout scales
  • Incident response runbook in place; public status page on the roadmap
  • Security review for third-party processors and vendors
Data residency

Choose where data is stored

Singapore, Frankfurt, and Virginia region options are available for teams with residency requirements. Cross-region transfers are limited to authorized workflows and recorded in the audit trail.

EU customers can use Frankfurt (eu-central-1) with DPA support available on request.
APAC
Singapore
EMEA
Frankfurt
Americas
Virginia
Responsible disclosure

Found a security issue?

Email [email protected] with reproduction steps and impact. We aim to acknowledge reports within two business days and prioritize fixes based on severity.