Accelete
Sign inBook a demo
Trust

Security & data protection

How Accelete protects your firm's and your clients' data: hosting, encryption, access control, Open Banking under the CDR, and incident response.

Accelete handles bank transactions, BAS drafts and tax-file numbers for Australian accounting firms and their clients. Trust and data protection are first-class product concerns, not a compliance afterthought. This page summarises the controls in place today and the roadmap for those still in flight.

Where your data lives

All customer data, including bank feeds, transactions, BAS drafts, supporting documents, and audit logs, is stored in AWS Sydney (ap-southeast-2). Backups are taken automatically and remain in Australian regions; data never crosses to overseas regions for processing or storage.

Encryption

Data is encrypted at rest using AWS-managed keys (KMS) for the Postgres database, S3-stored documents, and backup snapshots. All traffic between the client, the Accelete API, and downstream services (Basiq, Stripe, Microsoft Graph) is TLS 1.2+.

Tax File Numbers receive a second layer of envelope encryption with a per-record data key. The TFN ciphertext is never logged, and access is gated behind an explicit "Reveal TFN" action that writes an audit-log entry recording who revealed which TFN, when, and from what context.

Bank feeds: Open Banking via the CDR

Bank feeds are fetched through Basiq, an accredited Consumer Data Right (CDR) data recipient. Each client gives explicit, time-limited consent through their own bank's app. No credentials are stored or shared with Accelete. Clients can revoke consent in one tap; Accelete deletes the data covered by the revoked consent by default.

Microsoft Graph integration

Demo bookings and selected calendar workflows use the Microsoft Graph API. The integration uses the narrowest scopes required for the workflow (calendars and online meetings). Tokens are stored encrypted, never written to logs, and rotated on Microsoft's standard schedule.

Access control & authentication

Sign-in is handled by Clerk with first-party support for SSO, passkeys, and TOTP. Within Accelete, role-based access control gates which staff can see which firms and which clients. Sensitive actions, including TFN reveal, data export, and plan changes, are audit-logged and surfaced on the firm's activity feed.

Software development practices

  • Code review by at least one other engineer is required before merging to the main branch.
  • Dependencies are scanned for known vulnerabilities on every build.
  • Automated tests cover the critical compliance paths (BAS drafting, lodgement export, TFN reveal, role enforcement).
  • Application errors are reported through Sentry with PII scrubbed from event payloads.

Compliance & certifications

Accelete is built to align with the Australian Privacy Principles and the Tax File Number Rule 2015. SOC 2 Type II and ISO 27001 certifications are on the roadmap and the engineering controls required for both audits are already in production. We will update this page when each certification completes.

Incident response

Security incidents are triaged on a 24/7 basis. Eligible data breaches are notified to affected firms within 72 hours, and to the OAIC where the Notifiable Data Breaches scheme requires it. Post-incident reviews are shared with affected firms with no identifying client information removed.

Data export & deletion

Firms can export their data on demand in standard CSV / JSON bundles. On subscription cancellation, customer data is retained for a 30-day grace period, then deleted with written confirmation. The deletion sweep covers backups within their normal rotation cycle.

Reporting a vulnerability

Security researchers are welcome. Email security@accelete.com.au with reproduction steps. We respond within one business day.

Want to dig into our DPA or audit posture?

We share our Data Processing Addendum and current SOC 2 progress on request, usually within one business day.

Book a demoStart free trial