TruePath Accounting

Security

Last updated: March 7, 2026

At TruePath Professional Services Group, the security of your financial data is our highest priority. This page describes the technical and organizational measures we employ to protect your information.

Data Encryption

All data stored within TruePath Accounting is encrypted using industry-standard algorithms:

  • At Rest. All database records are encrypted using AES-256 encryption provided by our database infrastructure. Sensitive fields such as hosting provider API keys receive an additional layer of application-level AES-256-GCM encryption with unique initialization vectors per record.
  • In Transit. All communication between your browser and our servers is encrypted using TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced to prevent protocol downgrade attacks.

Authentication

Authentication is managed through Clerk, a SOC 2 Type II certified identity platform:

  • Multi-Factor Authentication (MFA). All users can enable MFA through authenticator apps or SMS verification for an additional layer of account security.
  • Session Management. Sessions are cryptographically signed and automatically expire after a period of inactivity. Session tokens are rotated regularly to minimize the window of exposure.
  • Secure Password Policies. Password requirements include minimum length, complexity rules, and protection against known compromised credentials.

Access Controls

TruePath Accounting implements strict access controls at multiple levels:

  • Role-Based Access Control (RBAC). Users are assigned roles (Admin, Accountant, Member) that determine their access to features and data. Administrative functions such as user management and billing are restricted to users with the Admin role.
  • Organization-Level Isolation. Every database query is scoped to the authenticated user's organization. This tenant isolation boundary is enforced at the application layer through a centralized tenant context function that all data access must pass through.
  • Audit Logging. Every create, update, and delete operation is recorded in an immutable audit log, capturing the user, timestamp, affected entity, and the specific changes made. Audit logs are retained for seven years.

Infrastructure

The Service is built on enterprise-grade infrastructure:

  • Vercel Edge Network. The application is deployed on Vercel's global edge network, providing low-latency access, automatic DDoS protection, and high availability across multiple regions.
  • Neon Serverless Postgres. Financial data is stored in Neon's serverless PostgreSQL database, which provides automatic backups, point-in-time recovery, and encryption at rest. Database connections use SSL/TLS encryption.
  • No Direct Database Access. The database is not exposed to the public internet. All data access occurs through authenticated application endpoints.

Financial Data Integrity

TruePath Accounting is designed to maintain the integrity of your financial records:

  • Double-Entry Accounting. Every financial transaction is recorded using the double-entry method, where every journal entry must balance (total debits equal total credits). This provides an inherent check on data integrity.
  • Immutable Audit Trails. Posted journal entries cannot be silently modified. All changes are captured in the audit log, providing a complete history of every financial record.
  • Bank Reconciliation. Built-in bank reconciliation tools allow you to verify that your records match your bank statements, identifying discrepancies promptly.

Compliance Alignment

While TruePath Accounting is not itself a certified entity, our security practices align with recognized standards:

  • SOC 2 Controls. Our security practices are designed around SOC 2 trust service criteria, including security, availability, and confidentiality. Our key infrastructure providers (Clerk, Vercel, Neon) maintain their own SOC 2 certifications.
  • GAAP Compliance. The accounting engine implements Generally Accepted Accounting Principles (GAAP), including proper revenue recognition, accrual-basis accounting, and standardized financial reporting.
  • PCI DSS. Payment card data is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor. TruePath never stores, processes, or transmits cardholder data directly.

Data Retention and Deletion

Financial records are retained for seven years in accordance with IRS requirements. Upon account termination, you have a 30-day window to export your data. After this period, data is permanently deleted from our systems, except where retention is legally mandated.

You may request deletion of your personal information at any time, subject to legal retention requirements for financial records.

Incident Response

TruePath maintains an incident response plan to address security events promptly:

  • Detection. Automated monitoring and alerting systems detect anomalous activity in real time.
  • Response. Our team investigates and contains security incidents as quickly as possible to minimize impact.
  • Notification. Affected users are notified within 72 hours of a confirmed data breach, as detailed in our Privacy Policy.
  • Remediation. Root cause analysis is conducted for all incidents, and corrective measures are implemented to prevent recurrence.

Contact

If you have security concerns, wish to report a vulnerability, or have questions about our security practices, please contact our security team:

TruePath Professional Services Group
Security Inquiries: security@truepathpsg.com

We take all security reports seriously and will acknowledge receipt within 24 hours. We appreciate responsible disclosure and will work with researchers to address confirmed vulnerabilities.