Your data is serious.
We treat it that way.
Financial data demands real security - not a checkbox on a sales page. VibeCFO has been protecting accounting-firm data since 2018. Here's how we handle your data, your access, and AI specifically.
Hosted on Amazon Web Services
Our platform runs entirely on AWS Australia (Sydney) - the same infrastructure trusted by the world's largest banks and government agencies.
A dedicated database per business
Every business gets its own dedicated database. Your data is never pooled with anyone else's.
Complete data isolation
Your data is physically separated from every other business.
No cross-tenant risk
A vulnerability in one business's environment can never expose another's.
Firm-level segmentation
Firms managing multiple clients get Row Level Security, so each client organisation only sees their own data.
Clean data lifecycle
When you leave, your data is entirely removed. No residual data.
This is the gold standard for financial data - and most platforms don't offer it because it costs more to run.
Layered protection
Multi-Factor Authentication
- Required for every user account
- Authenticator app and SMS support
- Automatic session timeout
Encryption Everywhere
- TLS 1.3 for all data in transit
- AES-256 at rest across all databases
- Encrypted connections between components
Access Controls & Audit Logging
- Role-based permissions
- Full audit logging of user actions
- Suspicious-activity monitoring
AI Security
AI and financial data is a sensitive combination. Here's exactly how EVA handles your data - and why you can't jailbreak her.
Text-to-SQL, not magic
EVA translates your question into a SQL query against your database. Pin a visual and it becomes a stored SQL command - no longer processed by AI. You can trust EVA's numbers like a Power BI report or an Excel formula.
Never used to train models
EVA uses frontier models from Anthropic and OpenAI on AWS - they don't train on your data. Under our Xero partnership we're contractually prohibited from training on client data.
Can't reach beyond your database
Every clientID has a unique database username and password. EVA only holds the credentials for your data - it's technically impossible to jailbreak her into another database. No email, no export, no sending data anywhere.
Hallucinations aren't a risk here
EVA doesn't generate numbers, she writes SQL. The numbers come straight from your database - the same source your accountant uses. If something looks off, it's the ETL refresh, not the AI.
Always-on, audited, accountable
- AWS security best-practice architecture review
- Xero, MYOB, XPM, Reapit annual security assessments - passed
- GDPR-aligned data protection practices
- Automated weekly vulnerability scanning
- 644 automated security tests in CI
ISO 27001 Certification
Formal gap analysis complete. Active remediation underway. Target certification: December 2026.
Built to last
VibeCFO has been operating since 2018 - serving 120+ firms managing 800+ client orgs across Australia, New Zealand, the UK, US and Canada. We're not a startup that appeared last month. This is what we do, and we've been doing it for eight years.
Security & access, explained
How does VibeCFO keep one client's data separate from another's?
Every business gets a dedicated database, and within it every clientID has unique database credentials plus inbuilt row-level security. EVA only ever holds the credentials for your data, so it is technically impossible for one client to see another's - zero cross-contamination.
Can I control what my team and clients can see?
Yes. You can segment users into groups and apply role-based permissions - firm admin, staff, client and read-only - so each person only sees the reports, tools and data they should.
Is my data used to train AI models?
No. EVA uses frontier models that do not train on your data, and under our Xero partnership we are contractually prohibited from training on client data. EVA's numbers come from SQL queries against your database, not generated text.
Where is my data hosted?
Entirely on AWS (Sydney for AU/NZ), with dedicated regional infrastructure for Australia, New Zealand, the UK, US and Canada. Encrypted in transit (TLS 1.3) and at rest (AES-256).
Security you can trust. EVA you can use.
7-day trial with our customer success team, then pay per integration and seat. Sign up to get started, or book a demo first. Need security documentation for compliance? Just ask.