Vibe CFO

Your Data Is Serious. We Treat It That Way.

Financial data demands real security — not a checkbox on a sales page. VibeCFO has been protecting accounting firm data since 2018. Below covers both our infrastructure security and how we handle AI specifically.

Data SecurityAI SecurityHallucinationsCompliance

Hosted on Amazon Web Services

Our platform runs entirely on AWS Australia (Sydney), the same infrastructure trusted by the world's largest banks, government agencies, and financial institutions.

Fully managed database infrastructure with automated failover and continuous backups
Serverless compute with no shared tenancy
All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Dedicated regional infrastructure for Australia, New Zealand, United Kingdom, United States, and Canada

Dedicated Database Per Business

Every business that signs up to VibeCFO gets its own dedicated database. Your data is not pooled with other businesses.

Complete data isolation

Your data is physically separated from every other business

No cross-tenant risk

A vulnerability in one business's environment can never expose another's

Firm-level segmentation

Accounting firms managing multiple clients benefit from Row Level Security, ensuring each client organisation only sees their own data

Clean data lifecycle

When you leave, your data is entirely removed. No residual data.

This is the gold standard for financial data — and most platforms don't offer it because it costs more to operate.

Security Features

Multiple layers of security to protect your data and access

Multi-Factor Authentication

All platform access requires MFA. No exceptions.

  • Required for every user account
  • Authenticator app and SMS support
  • Automatic session timeout and management

Encryption Everywhere

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest across all databases
  • Encrypted connections between all platform components

Access Controls & Audit Logging

  • Role-based permissions (firm admin, staff, client, read-only)
  • Full audit logging of user actions
  • Automated session management and suspicious activity monitoring

AI Security

We know AI and financial data is a sensitive combination. Here's exactly how EVA handles your data, why you can't jailbreak her, and why hallucinations aren't a risk with our architecture.

How EVA Works — Text-to-SQL, Not Magic

EVA's core technology is text-to-SQL. Behind the scenes, we've invested significant time and resources mapping every integration's API schema — bundling, grouping, and merging tables and columns from API endpoints into clean, understandable data points. When you ask “total wages this month”, EVA translates that into a SQL query against your database. That's it. No generative guesswork.

Each integration has its own nuances — for example, “Sales this month” in Xero means Trading Income, which includes Account Type = Revenue and Sales. We map these nuances per integration so EVA understands your intent correctly.

When you check a visual and pin it to your dashboard, it becomes a stored SQL command querying your database. It is no longer processed by AI. If wages look incorrect or aren't updating, the issue is almost certainly in our ETL refreshing the data — not an AI hallucination. You can feel as confident in EVA's numbers as you do in a Power BI report or Excel formula.

Your Data Is Never Used to Train Models

EVA uses frontier models from Anthropic (Claude) and OpenAI, running on AWS infrastructure. These models do not train on your data by default.
Under our Xero partnership agreement, we are legally prohibited from training on any client data. This is a contractual obligation, not just a policy choice.
On your profile page, you can opt in or opt out of having your questions used to improve EVA's ability to understand natural language. This only covers the phrasing of your questions — never your financial data, results, or any client information.

EVA Cannot Access Anything Beyond Your Database

Every clientID is assigned a unique database username and password from the backend. EVA only ever has the credentials for your specific database. It is technically impossible to jailbreak EVA into accessing a different database or clientID — the credentials simply don't exist in her context.
EVA has no email access, no file export capability, and no ability to send data anywhere. She can only query your database and return results to your screen.
All AI processing runs through AWS Sydney infrastructure. Your data stays onshore and never leaves Australian data centres.

AI Hallucinations — Why They're Not a Risk Here

The term “hallucination” refers to an AI generating plausible but incorrect information. This is a real concern when AI is asked to write essays, generate images, or answer open-ended questions. It is not a concern with EVA's architecture.

EVA doesn't “generate” numbers. She writes SQL queries. The numbers come directly from your database — the same source your accountant uses.
Once you pin a visual to your dashboard, it's a fixed SQL query. It no longer involves AI at all. Querying a database is no different from querying a Power BI report or an Excel formula.
If a number looks wrong, the cause is almost always in the ETL pipeline refreshing data from your integration's API — not in the AI layer. The same issue would appear in any reporting tool connected to the same data source.

Ongoing Commitment to AI Security Best Practice

AI security is a moving target. Models change, new vulnerabilities emerge, and best practices evolve. We treat this as an ongoing discipline, not a one-time checkbox.

We regularly attend AI security training from AWS and industry experts, implementing recommendations as they emerge.
We do not lock ourselves into a single model provider. As models and LLMs evolve, we will continue to work with the best options to deliver for our clients. We cannot guarantee the use of Anthropic or any specific provider indefinitely — our commitment is to security and accuracy, not to a particular brand.

Trusted Integration Partners

We maintain approved partner status with leading accounting and practice management platforms, passing their independent annual security assessments.

Xero
Approved Partner
MYOB
Approved Partner
XPM (Xero Practice Manager)
Approved Partner
Reapit
Approved Partner

We also integrate with CIN7 and Shopify, with additional partner approvals in progress.

These aren't self-declared badges. Each partner independently reviews our security practices, data handling, and API usage.

Compliance & Certifications

Our current compliance status and ongoing security initiatives

Current

  • AWS security best practices and architecture review
  • Xero, MYOB, XPM, Reapit annual security assessments — passed
  • GDPR-aligned data protection practices
  • Automated weekly vulnerability scanning across all platform components
  • 644 automated security tests with continuous integration

In Progress

ISO 27001 Certification

Formal gap analysis complete. Active remediation program underway. Target certification: December 2026.

In Progress

Automated Security Operations

Continuous automated scanning and auditing across the entire platform.

JobScheduleStatus
Daily dependency scan7:00 AM ACST daily
Ready
Weekly secrets scanMonday 8:00 AM ACST
Ready
Weekly AWS auditWednesday 8:00 AM ACST
Ready
Weekly code hygieneTuesday 9:00 AM ACST
Ready
Weekly doc stalenessThursday 8:00 AM ACST
Ready
Weekly ISO 27001Friday 10:00 AM ACST
Ready
Monthly health audit1st of month 10:00 AM ACST
Ready

Built to Last

VibeCFO has been operating since 2018 — serving 120+ accounting firms managing 800+ client organisations across Australia, New Zealand, the UK, US, and Canada. We process financial data daily across Xero, MYOB, XPM, Reapit, CIN7, and Shopify integrations.

We're not a startup that appeared last month. This is what we do, and we've been doing it for eight years.

Security Questions?

Have specific security requirements or need our security documentation for your compliance process? Contact us directly.