LedgerOne is built for UK accounting practices with the security model of a bank and the transparency of an open document. Here's exactly how we protect your firm's data — and what's on the roadmap.
This page is maintained by LedgerOne to answer common security and privacy questions. It describes enabled platform controls and our current practices, and does not represent independent certification unless explicitly stated.
Every plan — from Solo to Enterprise — gets the same core security architecture. No security features locked behind a bigger price tag.
All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Backups are encrypted with independently managed keys.
Client books, receipts, and reports are hosted in UK/EU regions. Data never leaves the region without your explicit request.
Every record is scoped to your firm at the database level. One firm can never query another firm's data — enforced by the database, not just the app.
Role-based permissions per seat: Partner, Manager, Bookkeeper, Read-only. Every action is logged to a tamper-evident audit trail.
Every view, edit, export, and login is recorded with user, timestamp, and IP. Available on the Firm plan and above for compliance reviews.
Point-in-time recovery for the last 7 days on all plans, 30 days on Firm and Enterprise. Restore any client's books to any minute.
We publish an honest status for every certification — what's in place today, what's in progress, and what remains your practice's responsibility. No badges we haven't earned.
Data processing agreement available on request. Subject access, rectification, and erasure supported from the admin console.
Architecture built to HMRC MTD specifications for VAT and Income Tax Self Assessment. Direct filing submission is on the roadmap and will be certified before general release.
We are working towards SOC 2 Type II with an accredited auditor. Target completion is within 12 months of general availability. Interim security memo available on request.
Information security management system controls in place; formal certification planned to follow SOC 2.
LedgerOne provides the tooling; your practice remains responsible for its regulatory obligations under ICAEW, ACCA, or other supervisory bodies. We're designed to make evidencing controls straightforward.
Security is a partnership. Here's who owns what — so nothing important falls between us.
Questions about our controls, DPA, or compliance roadmap? Email security@ledgerone.app and we'll reply within one business day.
Found a vulnerability? Report it to security@ledgerone.app. We acknowledge within 24 hours and won't take legal action against good-faith research.