Security & Privacy

PROTECTED
BY DESIGN.

Your QuickBooks data contains your entire business — customers, revenue, vendors, payroll. We built QBAI with security as a foundation, using the same standards banks and Fortune 500 companies rely on.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

Stripe

PCI DSS Level 1

US-Based

Never sold or shared

AES-256 Encryption at Rest

Your financial data is stored in encrypted PostgreSQL databases using AES-256 — the same standard used by banks, the US government, and Fortune 500 companies. Even if storage media were physically compromised, your data remains unreadable without the encryption keys.

TLS 1.3 Encryption in Transit

All data moving between your browser and our servers is encrypted with TLS 1.3. Your QuickBooks data never travels unprotected over the internet — every byte is encrypted end to end.

Stripe-Powered Payments — PCI DSS Level 1

We never see or store your credit card number. All payments are processed by Stripe, the highest-tier PCI DSS certified provider. Your billing data lives on Stripe's servers, not ours. Stripe processes hundreds of billions of dollars annually for companies like Amazon, Google, and Shopify.

US-Based Infrastructure

QBAI is built, operated, and hosted in the United States. Your data is stored on US servers and is not subject to foreign government data access laws or cross-border data transfer regulations.

Your Data Is Never Sold or Shared

Your accounting data is yours. We do not sell, rent, or share your financial data with third parties, advertisers, or data brokers — ever. Your data is used solely to provide the QBAI service to your organization.

Org-Level Data Isolation

Every organization's data is strictly isolated. Your QuickBooks records are scoped to your account — no other user or company can access them. Access controls are enforced at the database query level on every single request, not just at the UI layer.

Secure Authentication

Passwords are hashed with bcrypt. Sessions use httpOnly, Secure, SameSite cookies that expire automatically. Session tokens are cryptographically random 256-bit values. We track IP address and device fingerprint for session anomaly detection.

Railway Infrastructure Security

We run on Railway, which provides isolated container environments, encrypted storage volumes, private networking between services, and automated security patches. Your data never shares infrastructure with other tenants at the storage level.

Payment Processing

Powered by Stripe

Stripe is a PCI Service Provider Level 1 certified payment processor — the highest certification available. Your card number is entered directly into Stripe's secure fields and never passes through our servers. We receive only a payment token. You can verify Stripe's security credentials at stripe.com/docs/security.

PCI DSS

Level 1 via Stripe

What we will never do

✕Sell your financial data to third parties

✕Share your data with advertisers

✕Store your credit card number

✕Access your data without your permission

✕Transfer your data outside the United States

✕Use your data to train AI models

Questions about our security practices? Email [email protected]. QBAI is operated in the United States. Not affiliated with Intuit or QuickBooks.

PROTECTEDBY DESIGN.