Security & trust

Built like the evidence depends on it.

A firm's license rides on this system, so its safety properties are structural — enforced by the database, the ledger, and the policy engine, not by good intentions.

Isolation

Tenant isolation by construction

Multi-tenancy is enforced structurally, not by convention. Every query path runs behind Postgres row-level security scoped to the tenant, so an application bug cannot become a data leak — the database itself refuses cross-tenant reads and writes.

Within a firm, each client's books, memory, and conventions are separated: one client's coding history never informs another's unless the firm explicitly shares a firm-wide convention. Data lives in self-contained regional cells — tenants are pinned to a cell, and there are no cross-cell data paths.

Privacy

Models never see raw identifiers

Every inference payload passes through an in-cell PII-masking gateway before it reaches a model: names of natural persons, government IDs, addresses, and account numbers are replaced with stable pseudonymous tokens. The re-identification map never leaves the cell, and model responses are re-hydrated back inside it.

Inference runs under zero-data-retention terms, and client financial data is never used to train foundation models. Prompts carry only the fields a task needs — and the same masking applies to logs.

Documents are treated as data, never as instructions: text embedded in a hostile PDF or email cannot steer the agent, and attempted injections are logged as anomalies.

Ledger

An immutable ledger

Finalized entries are never edited in place. The finalized ledger is append-only double-entry, replicated across three nodes; corrections are explicit adjusting or reversing entries linked to the original, so the record of what changed — and why — is itself part of the books.

Closed periods lock. Nothing posts into a locked period except a formal adjusting entry that follows the same sign-off workflow as everything else.

Accountability

The decision log

Every agent action is recorded with its trigger, the retrieved context, the tool calls and their results, each factor of the autonomy decision, the verification-gate result, the outcome, the human who resolved it if any, and the pinned model version and configuration.

The log is immutable and exportable, and any decision can be replayed: a reviewer — or a regulator — can see exactly what the agent saw and why the gate passed or failed.

Control

Segregation of duties & sign-off

The agent is a preparer. Binding a material or irreversible action requires a distinct human authorizer — the system enforces that preparer and approver can never be the same identity. Approval flows follow your firm's matrix: preparer → reviewer → signer, with thresholds deciding how far up an item must go.

Attestations are cryptographically signed, single-use, and bound to the exact ledger snapshot and report version they cover. A material item that fails a verification gate can only proceed by an explicit, attributed, logged human override — never by the agent retrying until it passes.

A kill switch drops any firm or client to fully supervised mode instantly, without losing state or work in progress.

Baseline controls

The table stakes, stated plainly

In transit

TLS 1.3 everywhere

At rest

AES-256 across databases, ledger, and object storage

Credentials

Field-level encryption for connector secrets; keys in KMS with rotation

Access

MFA for firm staff; SSO (OIDC/SAML) for enterprise firms; role-based access control

Access logging

Who viewed what, when — kept separate from the financial audit trail, with anomaly alerting

Controls

Built to the SOC 2 Type II control set: vulnerability management, incident response, backup and DR

Retention

Originals and audit trail retained per policy (7-year default); soft-delete only; legal hold supported

Residency

Client data stored and processed in-region; masked, zero-retention inference is the sole disclosed exception

Want the deeper story on how autonomy itself is governed? Read about the governor, or join the waitlist and ask us directly.

accountsAI

The autonomous accountant with a verifiable spine. Built for accounting firms in the US and Canada.

© 2026 accountsAI. All rights reserved.

accountsAI is a preparer, not a licensed professional. Your firm holds the judgment, the sign-off, and the license — accountsAI makes that signature provable.