Security

Built to protect your books.

Imprest handles your business's financial data. We treat that responsibility the way an accountant would — with strict controls, full transparency, and your right to walk away with everything you put in.

Infrastructure

Encryption and isolation.

Encrypted in transit

All connections to Imprest use TLS 1.2+. We don't accept unencrypted traffic.

Encrypted at rest

All customer data is encrypted at rest using AES-256. Keys are managed via cloud KMS.

Isolated tenancy

Every organization's data is logically isolated by composite primary key and verified by row-level access checks on every query.

Hosted in the United States

Currently US-only. EU residency is on the roadmap.

Access & audit

Who can do what — and what gets logged.

  • Multi-factor authentication. Required for all admin and owner roles; available for all users.
  • Role-based access. Granular permissions per organization. Invite bookkeepers and accountants at no extra cost without owner-level access.
  • Audit log. Every posting, edit, void, period lock, and unlock is logged with user, timestamp, and before/after state. Part of the product, not an enterprise upcharge.

Period locking

Accounting integrity, by default.

Once a period is closed, Imprest stops anyone from posting back to it — including admins — without an explicit unlock event that the audit log captures. This is how accounting software is supposed to work; it's not a feature we expect customers to be impressed by, but it's one we expect to be present, and it is.

Compliance

Honest about what we have and what we're working on.

SOC 2 Type II
In progress — target [date TBD]
PCI DSS
N/A directly — payments handled by Stripe (PCI Level 1)
GDPR / CCPA
Privacy policy + data-subject request workflow live
HIPAA
Not in scope

Customer-owned data

Three statements.

  • Export anytime. Full export in standard formats (CSV, QBO, IIF where applicable) from inside the product. No paid upgrade required.
  • Retention after cancellation. We retain your data for 12 months after cancellation in case you return, then permanently delete on request.
  • No data sales, ever. Customer business data is never used to train cross-customer models, sold, or shared with third parties for marketing purposes.

Sub-processors

Third-party services that touch customer data.

List maintained as the current truth. Stale sub-processor lists are a real audit failure mode.

ServiceHandlesTheir security page
PlaidBank feed connectionsplaid.com/legal
StripePayments processingstripe.com/security
AWSInfrastructureaws.amazon.com/security
[Email provider]Transactional email[link]
[Observability]Monitoring[link]

Incident response

If something happens.

  • Detection. Production systems are monitored 24/7 for security events.
  • Notification. Affected customers notified within [N hours/days] of confirming an incident that may have exposed their data.
  • Disclosure. Material breaches disclosed publicly on the status page.

Reporting a vulnerability

Found a security issue?

Email security@imprest.ai. We respond within 24 hours and pay disclosed bounties for valid reports per our disclosure policy.

Read the legal too.

Privacy policy, terms of service, and DPA available from the footer.

Privacy policy