Security
We know that accountants and bookkeepers trust us with sensitive financial information. Protecting that data is one of our highest priorities.
Our engineering team is based in New Zealand, with collectively decades of experience working at global leaders in software such as Xero, Vend, and Slack. That background shapes how we approach building secure, reliable systems that accountants and bookkeepers can trust.
At A Glance
A quick summary of the controls we operate and how we keep your data safe.
Our Approach
We align our practices with recognised frameworks for SaaS providers, including the Security Standard for Add-on Marketplaces (SSAM) and the accreditation requirements of the Xero App Store and Akahu Open Finance.
We are also committed to respecting your privacy. You can read more in our Privacy Policy.
Key Practices
All data is encrypted in transit using TLS and at rest using AES-256. Sensitive fields receive additional encryption at the application layer.
We support two-factor authentication (2FA) for all accounts. Access is controlled by role-based permissions and reviewed regularly.
Prosaic runs on AWS infrastructure in the Asia Pacific region. We follow AWS security best practices and maintain strict network segmentation.
Customer data is isolated per workspace. We do not sell or share your data. Our data handling practices are described in our Privacy Policy.
We maintain regular automated backups with point-in-time recovery. Our infrastructure is designed for high availability and resilience.
All team members receive regular security training. Security considerations are embedded into our engineering and product processes.
We follow secure development practices, conduct code reviews, and run automated security testing on every release.
We maintain comprehensive audit logs for all significant actions. Our infrastructure is monitored 24/7 with automated alerting.
We conduct security assessments of all third-party vendors before onboarding and review them annually. Vendors are contractually bound to maintain appropriate security standards.
Customer data is retained only as long as required by law or contract. We provide data export on request and securely delete data on account closure.
We maintain a documented incident response plan. In the event of a security incident, we will notify affected customers promptly in accordance with NZ privacy law.
We align our practices with the Security Standard for Add-on Marketplaces (SSAM) and the accreditation requirements of the Xero App Store and Akahu Open Finance.
Responsible AI
We leverage artificial intelligence to improve automation and efficiency in our product, but we follow best-practice recommendations for responsible AI use. Customer data sent to AI providers is not used to train their models, and we maintain human oversight of all AI-generated outputs.
Independent Accreditations
We have been externally accredited by Akahu Limited (Open Banking) and approved as a Xero App Store partner, both of which required independent audit of our security practices.
Ongoing Commitment
Security isn’t static. We continually review and enhance our policies, technologies, and practices to meet evolving threats and customer expectations.
If you’d like more information about security at Prosaic, or require further details including copies of our policies and procedures, please contact us at hello@prosaic.works.