Security
Your accounting data is the most sensitive thing your group has. This page lists only what we actually do — no badges we haven't earned, no vague claims.
Connections to QuickBooks and Xero use their official OAuth with read-only scopes. The platforms themselves enforce that we cannot write, post, edit or delete anything in your books — it is not a promise, it is a permission level.
You sign in on QuickBooks' or Xero's own pages. Composenz receives a revocable token, never your credentials. We never connect to your bank and never move money.
Disconnect an entity in Composenz, or revoke the app from your QuickBooks/Xero settings — access ends immediately either way.
Each group's data is segregated with database-level row security: queries are scoped to your organisation by the database itself, not just by application code.
All traffic runs over TLS. Data and OAuth tokens are encrypted at rest; tokens are never exposed to the browser.
We read only the accounting objects needed to consolidate and narrate your group. Close your account and your data is deleted on request — your books always remain the source of truth in your own systems.
Accounts require strong passwords checked against known-breach lists, with two-factor authentication available for every user.
Security review is part of every change we ship — threat modeling first, features second. The hardening checklist we run is public in spirit: ask us anything about it.
We want to hear about it. Report it responsibly and we will respond quickly and credit you if you wish.
