You're trusting us with your clients' live financial data. Here's exactly how we protect it.
Spring Tide connects to QuickBooks through Intuit's official OAuth — your clients log in on Intuit's own screen, and we never receive or store their QuickBooks username or password. The only thing we hold is a connection token, and those tokens are encrypted with AES-256-GCM, the same authenticated encryption standard used to protect data in transit across the modern web. In production, the platform won't even start without its encryption key present, so a token can never be stored unprotected.
Every firm's data is isolated. When anyone requests a client record, an invoice, or a report, the platform checks it against that user's own organization first — and a request for data outside your organization comes back as "not found," so client identifiers can't be probed or enumerated from the outside. One firm's clients are never visible to another.
When the platform generates its CFO commentary, it sends summarized financial metrics — not your underlying transaction ledger — to our AI provider (Anthropic).
All traffic runs over HTTPS, with HSTS enforced for a full year across the domain and its subdomains. The platform sets a Content-Security-Policy that restricts which origins are allowed to load scripts, styles, fonts, and embedded content, along with a strict referrer policy.
Public-facing forms are protected by CAPTCHA (Cloudflare Turnstile) and rate limiting. The CAPTCHA is required in production and fails closed — if it can't verify a submission, the request is rejected rather than waved through. API endpoints are rate-limited, with stricter limits on public contact and lead forms.
We monitor our dependencies for known vulnerabilities and keep them current as part of every release.
Spring Tide relies on a small set of vetted infrastructure and service providers to operate. Each is listed, along with what it's used for, in our Privacy Policy. We only share what a provider needs to do its job — for example, our AI provider receives the summarized financial metrics behind a CFO commentary, not your underlying transaction ledger.
Spring Tide runs on SOC 2– and ISO 27001–certified infrastructure, including Google Cloud and certified service providers such as Anthropic, Stripe, and Resend. Spring Tide has not yet completed its own independent SOC 2 audit; it's on our roadmap as the platform grows. We'd rather tell you exactly where we stand than imply a certification we don't hold.
Found a vulnerability, or have a security question? Email us at security@springtideba.com.