Join the waitlist
Trust & security

Finance software, treated like finance software.

SmartBooks handles regulated UK accounting data. Every architectural decision starts with HMRC and ICO obligations, not with a feature wishlist. This page documents how that holds up — sub-processors, certifications, encryption, access controls and our published incident process.

Email the security team Read the privacy policy
Security pillars

Six things SmartBooks guarantees.

These are the floors, not the ceilings. Each pillar has an associated runbook, owner and audit cadence inside the operating team.

Encryption in transit and at rest

TLS 1.3 between every client and SmartBooks. AES-256 at rest on all stored data. Database backups encrypted, key-managed and rotated automatically.

UK data residency by design

Primary infrastructure is on UK and EU regions. Document storage, database and backups all stay within the UK/EU. Edge nodes serve cached static assets only.

UK GDPR and Data Protection Act 2018

Full UK GDPR compliance. ICO-aligned data-processing register. Data subject access requests (DSARs) handled within statutory time-frame. Sub-processor list published and updated.

Role-based access and audit logs

Granular roles for firm partners, bookkeepers, reviewers and clients. Every action logged with actor, IP, user agent and timestamp. Audit log is read-only and exportable.

HMRC-grade submission trails

Every MTD VAT, MTD ITSA and Self Assessment submission stored with the full payload, HMRC receipt, response and bookkeeper approval. Replayable for any HMRC enquiry.

Bookkeeper-in-the-loop guardrail

No submission to HMRC happens without explicit approval by a named bookkeeper. No payment is collected without an invoice issued by an approved user. Automation cannot bypass the approval layer.

Certifications and standards

Honest status — what’s certified, what’s in progress.

We won’t claim a badge we don’t hold. This table reflects current status. Items marked “roadmap” have a target year — we’ll publish the certificate the moment it’s issued.

StandardStatus
UK GDPRCompliant by design
Data Protection Act 2018Compliant by design
PECR (cookies and e-marketing)Compliant by design
ISO 27001Roadmap · target 2027
SOC 2 Type IIRoadmap · target 2027
HMRC MTD recognitionIn process
Sub-processors

The companies that touch SmartBooks data.

Sub-processors handle specific workloads under written instructions and a data-processing agreement. We publish the list and notify customers of additions in advance.

Sub-processorPurposeRegion
VercelHosting, edge network and serverless runtimeEU / UK
SupabaseDatabase, authentication, file storageEU
AdfinDirect debit, open banking and card paymentsUK
ResendTransactional email deliveryEU / US
HMRC MTD APIsMTD VAT and MTD ITSA submissionsUK
Companies HouseStatutory accounts filingUK
Vulnerability disclosure

Found something? Tell us first.

We operate a coordinated disclosure process. Report vulnerabilities to security@usesmartbooks.com with reproduction steps. We acknowledge within one working day, triage within three, and publish a fix timeline within ten.

  • Safe harbourGood-faith research is welcomed and protected under our disclosure policy.
  • Scope*.usesmartbooks.com and the production API. Out of scope: social engineering, physical, DoS.
  • CreditReporter credit on the changelog when a fix ships, unless you prefer anonymity.
Trust & security

Built like finance software should be.

Pilot cohorts get the full security review pack — sub-processor list, DPA, encryption attestation and incident-response playbook. Book a demo or join the waitlist.

Running a firm? Book a 15-minute demo.

No spam. One email when early access opens.