Trust & Security

Your clients' books, safer than a spreadsheet.

LedgerOne is built for UK accounting practices with the security model of a bank and the transparency of an open document. Here's exactly how we protect your firm's data — and what's on the roadmap.

This page is maintained by LedgerOne to answer common security and privacy questions. It describes enabled platform controls and our current practices, and does not represent independent certification unless explicitly stated.

Security by default

Every plan — from Solo to Enterprise — gets the same core security architecture. No security features locked behind a bigger price tag.

Encrypted end-to-end

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Backups are encrypted with independently managed keys.

UK & EU data residency

Client books, receipts, and reports are hosted in UK/EU regions. Data never leaves the region without your explicit request.

Row-level isolation

Every record is scoped to your firm at the database level. One firm can never query another firm's data — enforced by the database, not just the app.

Least-privilege access

Role-based permissions per seat: Partner, Manager, Bookkeeper, Read-only. Every action is logged to a tamper-evident audit trail.

Full audit trail

Every view, edit, export, and login is recorded with user, timestamp, and IP. Available on the Firm plan and above for compliance reviews.

Continuous backups

Point-in-time recovery for the last 7 days on all plans, 30 days on Firm and Enterprise. Restore any client's books to any minute.

Compliance & regulation

We publish an honest status for every certification — what's in place today, what's in progress, and what remains your practice's responsibility. No badges we haven't earned.

GDPR-aligned data handling

In place

Data processing agreement available on request. Subject access, rectification, and erasure supported from the admin console.

HMRC Making Tax Digital ready

In place

Architecture built to HMRC MTD specifications for VAT and Income Tax Self Assessment. Direct filing submission is on the roadmap and will be certified before general release.

SOC 2 Type II

In progress

We are working towards SOC 2 Type II with an accredited auditor. Target completion is within 12 months of general availability. Interim security memo available on request.

ISO 27001

In progress

Information security management system controls in place; formal certification planned to follow SOC 2.

ICAEW / ACCA practice compliance

Owner responsibility

LedgerOne provides the tooling; your practice remains responsible for its regulatory obligations under ICAEW, ACCA, or other supervisory bodies. We're designed to make evidencing controls straightforward.

Shared responsibility

Security is a partnership. Here's who owns what — so nothing important falls between us.

LedgerOne

  • Platform security, encryption, patching, backups
  • Infrastructure availability and disaster recovery
  • Access controls and audit logging inside the product
  • Data residency and processor-side GDPR obligations

Your practice

  • Seat management, staff on/offboarding, and role assignment
  • Client engagement letters, AML/KYC, and record retention rules
  • Your regulatory obligations (ICAEW, ACCA, HMRC MLR, GDPR as controller)
  • Strong passwords, MFA, and device security for your team

Security contact

Questions about our controls, DPA, or compliance roadmap? Email security@ledgerone.app and we'll reply within one business day.

Responsible disclosure

Found a vulnerability? Report it to security@ledgerone.app. We acknowledge within 24 hours and won't take legal action against good-faith research.

Documents on request

Data Processing Agreement, security whitepaper, subprocessor list, and current control matrix are all available under NDA. Get in touch and we'll send everything within one business day.