Security & Trust

Your data is serious.
We treat it that way.

Financial data demands real security - not a checkbox on a sales page. VibeCFO has been protecting accounting-firm data since 2018. Here's how we handle your data, your access, and AI specifically.

Hosted on Amazon Web Services

Our platform runs entirely on AWS Australia (Sydney) - the same infrastructure trusted by the world's largest banks and government agencies.

Fully managed databases with automated failover and continuous backups
Serverless compute with no shared tenancy
Encrypted in transit (TLS 1.3) and at rest (AES-256)
Dedicated regional infrastructure for AU, NZ, UK, US and Canada

A dedicated database per business

Every business gets its own dedicated database. Your data is never pooled with anyone else's.

Complete data isolation

Your data is physically separated from every other business.

No cross-tenant risk

A vulnerability in one business's environment can never expose another's.

Firm-level segmentation

Firms managing multiple clients get Row Level Security, so each client organisation only sees their own data.

Clean data lifecycle

When you leave, your data is entirely removed. No residual data.

This is the gold standard for financial data - and most platforms don't offer it because it costs more to run.

Sharing & Access

Share reports and the tools EVA builds with the people who need them - your team, your board, your clients - while making sure each person only ever sees what they should.

Share with stakeholders

Publish a report or a tool once and give the right people access - no exporting, no emailing spreadsheets around.

Segment users into groups

Organise people into groups and control exactly what each group can see and do, from firm admin to read-only client access.

Inbuilt row-level security

Row Level Security is enforced at the data layer, so a user scoped to one client can never see another's - zero cross-contamination.

Role-based permissions

Firm admin, staff, client and read-only roles mean access is granted by intent, not by accident.

Security features

Layered protection

Multi-Factor Authentication

  • Required for every user account
  • Authenticator app and SMS support
  • Automatic session timeout

Encryption Everywhere

  • TLS 1.3 for all data in transit
  • AES-256 at rest across all databases
  • Encrypted connections between components

Access Controls & Audit Logging

  • Role-based permissions
  • Full audit logging of user actions
  • Suspicious-activity monitoring

AI Security

AI and financial data is a sensitive combination. Here's exactly how EVA handles your data - and why you can't jailbreak her.

Text-to-SQL, not magic

EVA translates your question into a SQL query against your database. Pin a visual and it becomes a stored SQL command - no longer processed by AI. You can trust EVA's numbers like a Power BI report or an Excel formula.

Never used to train models

EVA uses frontier models from Anthropic and OpenAI on AWS - they don't train on your data. Under our Xero partnership we're contractually prohibited from training on client data.

Can't reach beyond your database

Every clientID has a unique database username and password. EVA only holds the credentials for your data - it's technically impossible to jailbreak her into another database. No email, no export, no sending data anywhere.

Hallucinations aren't a risk here

EVA doesn't generate numbers, she writes SQL. The numbers come straight from your database - the same source your accountant uses. If something looks off, it's the ETL refresh, not the AI.

Compliance & operations

Always-on, audited, accountable

Certified / active
  • AWS security best-practice architecture review
  • Xero, MYOB, XPM, Reapit annual security assessments - passed
  • GDPR-aligned data protection practices
  • Automated weekly vulnerability scanning
  • 644 automated security tests in CI
In progress - not yet certified

ISO 27001 Certification

Formal gap analysis complete. Active remediation underway. Target certification: December 2026.

Automated security operations
JobSchedule
Daily dependency scan7:00 AM ACST daily
Weekly secrets scanMonday 8:00 AM ACST
Weekly AWS auditWednesday 8:00 AM ACST
Weekly code hygieneTuesday 9:00 AM ACST
Weekly ISO 27001Friday 10:00 AM ACST
Monthly health audit1st of month 10:00 AM ACST

Built to last

Since 2018120+ firms800+ client orgsAWS Sydney

VibeCFO has been operating since 2018 - serving 120+ firms managing 800+ client orgs across Australia, New Zealand, the UK, US and Canada. We're not a startup that appeared last month. This is what we do, and we've been doing it for eight years.

FAQ

Security & access, explained

How does VibeCFO keep one client's data separate from another's?

Every business gets a dedicated database, and within it every clientID has unique database credentials plus inbuilt row-level security. EVA only ever holds the credentials for your data, so it is technically impossible for one client to see another's - zero cross-contamination.

Can I control what my team and clients can see?

Yes. You can segment users into groups and apply role-based permissions - firm admin, staff, client and read-only - so each person only sees the reports, tools and data they should.

Is my data used to train AI models?

No. EVA uses frontier models that do not train on your data, and under our Xero partnership we are contractually prohibited from training on client data. EVA's numbers come from SQL queries against your database, not generated text.

Where is my data hosted?

Entirely on AWS (Sydney for AU/NZ), with dedicated regional infrastructure for Australia, New Zealand, the UK, US and Canada. Encrypted in transit (TLS 1.3) and at rest (AES-256).

Security you can trust. EVA you can use.

7-day trial with our customer success team, then pay per integration and seat. Sign up to get started, or book a demo first. Need security documentation for compliance? Just ask.