How NewLedger protects accounting data
A clear view of the controls in place today — encryption, access management, audit history, and residency options — plus what is still on the roadmap, including SOC 2 Type II and ISO 27001.
What finance should validate before switching accounting systems
The trust review should reduce migration risk, not just satisfy procurement. These are the checks that usually decide whether a move feels safe.
- Confirm your approval, reviewer, and external accountant roles map cleanly into NewLedger permissions before go-live.
- Validate that audit history on journals, invoices, payments, and reconciliations is clear enough for monthly review and year-end support.
- Decide whether your buyer needs residency, DPA, or trust materials before procurement starts instead of late in the cycle.
- Plan who owns migration validation so security and finance both know what must be checked before cutover.
What protects your books
The baseline controls finance and security reviewers usually ask about first.
Encryption in transit and at rest
Customer data is encrypted in transit with TLS 1.3 and encrypted at rest with AES-256. Backups are encrypted before leaving the hosting region.
Least-privilege access
Role-based access control limits who can view, create, approve, or post accounting activity. SSO/SAML support is available for teams that need centralized identity.
Audit-friendly activity history
Accounting changes are recorded with actor, timestamp, and before/after context so finance teams and reviewers can trace what changed without exporting spreadsheets.
Region-pinned data
Teams can choose where data is stored and processed. Singapore is the default, with EU and US region options for customers with residency requirements.
Backups and recovery
Encrypted backups and restore procedures are part of the operating model. We test recovery workflows as part of ongoing operations.
Monitoring and incident response
Infrastructure and application signals are monitored for abnormal auth, change, and availability patterns. Incidents are handled through a documented response process.
The posture behind the roadmap
We would rather show current engineering, people, and process controls than imply certifications we have not completed yet.
Secure development practices
- Code review on production changes
- Dependency and static analysis checks in CI
- Restricted production access with audited elevation
- Secrets managed outside application code
Access discipline
- Background checks for roles with production access
- Security and privacy training for relevant team members
- Periodic access reviews for privileged accounts
- No standing production access by default
Controls and vendor review
- Controls aligned to SOC 2 principles; formal Type II audit is on the roadmap
- External penetration testing planned as rollout scales
- Incident response runbook in place; public status page on the roadmap
- Security review for third-party processors and vendors
Choose where data is stored
Singapore, Frankfurt, and Virginia region options are available for teams with residency requirements. Cross-region transfers are limited to authorized workflows and recorded in the audit trail.
Found a security issue?
Email [email protected] with reproduction steps and impact. We aim to acknowledge reports within two business days and prioritize fixes based on severity.