Tidyflow is built for accounting firms that manage financial records, tax documents, and personally identifiable information. Protecting customer data is a core part of how we operate.
Infrastructure and Data Hosting
Tidyflow is hosted in U.S.-based data centres using DigitalOcean and Amazon Web Services (AWS). These providers maintain independently audited infrastructure and industry-recognized security certifications.
Both DigitalOcean and AWS undergo regular third-party audits, including SOC 2 reporting, and maintain robust physical and environmental controls across their data centres.
Security of the infrastructure follows a shared responsibility model:
- DigitalOcean and AWS secure the underlying physical infrastructure and network
- Tidyflow secures the application layer, access controls, and customer data
Read more about:
Data storage and backups
Customer data is stored using secure cloud infrastructure with controlled access.
Automated backups are performed regularly to support disaster recovery and business continuity. Backups are encrypted and retained according to an internal retention policy.
When customer data is deleted from the application, it is removed from active systems. Deleted data may remain in encrypted backups for a limited period before being automatically removed.
Encryption
In transit
All traffic to and from Tidyflow is encrypted using TLS.
At rest
Sensitive customer data fields are encrypted at rest within supported storage systems. Encrypted backups are also maintained to support disaster recovery.
Authentication and access control
Email-based authentication
Authentication is performed through secure connections to the user’s Microsoft or Google account.
Multi-Factor Authentication (MFA)
Tidyflow supports Multi-Factor Authentication. Admin users can require MFA for all users within their workspace.
Workspace separation
Each firm’s data is logically separated within the application. Users can only access the workspace they have been invited to, and cannot access data belonging to other firms.
Role-based permissions
Admins manage user roles and permissions to ensure appropriate access levels within their firm.
Administrative access
Access to production systems is restricted and granted only when required for customer support or issue resolution. We maintain internal controls to manage and review privileged access.
Activity logging
Tidyflow maintains internal logs for key system activities to support security monitoring and troubleshooting.
Incident response
Tidyflow maintains an internal incident response process. In the event of a confirmed security incident affecting customer data, impacted customers will be notified promptly.
Payments
Payments are processed by Stripe. Tidyflow does not store or process full credit card details on it's servers.
Vulnerability management and patching
Systems are kept up to date with security patches and updates to reduce exposure to known vulnerabilities. We perform ongoing security checks to help identify and mitigate potential risks.
Sub-processors
Tidyflow uses a limited number of trusted sub-processors to operate and support the service.
You can view the full list of sub-processors, including their purpose and location, on our Sub-processors page.
Contact
For security questions, data protection inquiries, or to report a vulnerability: