Tidyflow Tidyflow Logo

Security

Last updated May 20, 2026

Tidyflow is built for accounting firms that manage financial records, tax documents, and personally identifiable information. Protecting customer data is a core part of how we operate.

Infrastructure and Data Hosting

Tidyflow is hosted in U.S.-based data centres using DigitalOcean and Amazon Web Services (AWS). These providers maintain independently audited infrastructure and industry-recognized security certifications.

Both DigitalOcean and AWS undergo regular third-party audits, including SOC 2 reporting, and maintain robust physical and environmental controls across their data centres.

Security of the infrastructure follows a shared responsibility model:

  • DigitalOcean and AWS secure the underlying physical infrastructure and network
  • Tidyflow secures the application layer, access controls, and customer data

Read more about:

Data storage and backups

Customer data is stored using secure cloud infrastructure with controlled access.

Automated backups are performed regularly to support disaster recovery and business continuity. Backups are encrypted and retained according to an internal retention policy.

When customer data is deleted from the application, it is removed from active systems. Deleted data may remain in encrypted backups for a limited period before being automatically removed.

Encryption

In transit

All traffic to and from Tidyflow is encrypted using TLS.

At rest

All customer data is encrypted at rest at the storage layer. Selected sensitive fields — including personally identifying information on user and contact records and authentication credentials for connected services — are additionally encrypted at the application layer. Encrypted backups are maintained to support disaster recovery.

Authentication and access control

Signing in to Tidyflow

Users sign in to the Tidyflow application using either:

  • Single Sign-On with their Google or Microsoft account (via OAuth 2.0), or
  • An email address and password. Passwords are hashed using a strong, industry-standard adaptive hashing function before storage; raw passwords are never stored.

Connecting an email or calendar account

Connecting a Gmail, Google Calendar, or Microsoft 365 account to Tidyflow is performed exclusively through OAuth 2.0. Tidyflow never receives or stores the password for connected email or calendar accounts.

Multi-Factor Authentication (MFA)

Tidyflow supports Multi-Factor Authentication. Admin users can require MFA for all users within their workspace.

Workspace separation

Each firm’s data is logically separated within the application. Users can only access the workspace they have been invited to, and cannot access data belonging to other firms.

Role-based permissions

Admins manage user roles and permissions to ensure appropriate access levels within their firm.

Administrative access

Access to production systems is restricted and granted only when required for customer support or issue resolution. We maintain internal controls to manage and review privileged access.

Activity logging

Tidyflow maintains internal logs for key system activities to support security monitoring and troubleshooting.

Incident response

Tidyflow maintains an internal incident response process. In the event of a confirmed security incident affecting customer data, impacted customers will be notified promptly.

Payments

Payments are processed by Stripe. Tidyflow does not store or process full credit card details on it’s servers.

Vulnerability management and patching

Systems are kept up to date with security patches and updates to reduce exposure to known vulnerabilities. We perform ongoing security checks to help identify and mitigate potential risks.

Data deletion

Customers can request deletion of their account and the data Tidyflow holds on their behalf at any time by emailing [email protected] from the account email address (or a verified domain owner address for a firm-level deletion).

Once a deletion request is verified:

  • Tidyflow ceases any further syncing from connected mailboxes or calendars on the account and revokes the associated OAuth tokens
  • Account-level data, customer data, and any cached email or calendar event data are removed from active systems within 30 days
  • Encrypted backups continue to contain the deleted data for a limited period before being rotated out automatically, in accordance with the internal backup retention policy

Disconnecting a single mailbox or calendar (without deleting the wider account) follows the same 30-day cleanup window for that connection.

Sub-processors

Tidyflow uses a limited number of trusted sub-processors to operate and support the service.

You can view the full list of sub-processors, including their purpose and location, on our Sub-processors page.

Contact

For security questions, data protection inquiries, or to report a vulnerability:

[email protected]

FAQs

United States-based cloud infrastructure through DigitalOcean and AWS.
Yes. All traffic is encrypted in transit via TLS, and data is encrypted at rest at the storage layer. Selected sensitive fields — including personally identifying information on user and contact records and authentication credentials for connected services — are additionally encrypted at the application layer.
Automated backups are performed multiple times per day to support disaster recovery and business continuity. Backups are encrypted and retained according to an internal retention policy for up to 12 months.
Role-based permissions within each account. Internal access is restricted and logged.
Yes. Admins can require MFA for all users.
Yes. Upon request, customer data can be securely deleted.
Tidyflow maintains an internal incident response process that defines roles, responsibilities, investigation procedures, and remediation steps in the event of a security issue. To date, we have not experienced any known data breaches affecting customer data.