Security
You're trusting us with the most sensitive operational data your business generates — every invoice, every bill, every bank statement. Here's what we do to keep it safe, in plain English.
Every request between your browser and our servers travels over TLS 1.3 — the same encryption banks use. Once it arrives, your data sits in a Postgres database where every row is encrypted on disk by AWS KMS (via Supabase). If someone walked off with the physical hardware, they'd get ciphertext.
We enforce isolation at two layers. The application code queries only the client that matches the signed-in email. The database itself refuses — via Row-Level Security policies — to return any row that doesn't belong to your account, even if a future code path made a mistake. Defense in depth.
Your books are visible only to your signed-in account, authorized 1folder personnel assigned to bookkeeping delivery or review, and required sub-processors. No third-party analytics can view your books. Admin access is allowlisted, and new staff access will be scoped and audited.
Your monthly reports are served via signed URLs that expire in 15 minutes. Forward a link by accident? It stops working before anyone can act on it. Re-visit the portal and the fresh link is waiting.
We strongly recommend turning on 2FA. Open your account settings, scan a QR with 1Password / Authy / Google Authenticator, and from then on sign-in requires the 6-digit code from your phone. Even if your email is compromised, your books stay private.
Set up at /account/security.
Our servers run on Vercel and Supabase — both US-based, both SOC 2 Type II compliant. Your document folder lives in a private Google Drive inside our Workspace. Google Workspace is SOC 2, ISO 27001, and HIPAA eligible. No data leaves North America.
Some clients can use a Mac mini Privacy Gateway. In that mode, raw financial exports stay on the client-controlled device, the local agent writes only anonymized files and clean manifests to 1folder, and the private mapping vault never leaves the client environment.
Model choices are explicit: deterministic rules, local open-weight models running on the appliance, or hosted frontier models such as OpenAI/Claude when the client chooses a cloud-assisted workflow.
If we ever discover a security incident affecting your data, we'll email you within 72 hours with what happened, what we know, and what we're doing about it. We'll report to the relevant authorities as required by US law. We take this seriously — for a product whose job is trust, a breach is an existential failure.