The posture we publish before you ask

Per-entity database isolation

Every accounting entity gets its own Postgres database, named opaquely (tenant_<ulid>), with a dedicated least-privileged role and per-tenant credentials. Tenants live across a multi-cluster fleet of cluster-pods capped at ~500 tenants per cluster. The control plane is the only routing authority; there is no DNS-based tenant routing.

The practical effect: a missing WHERE tenant_id = ? in our code cannot leak cross-tenant data — there is no other tenant in the database. Restores are per-tenant. Hot tenants can be relocated to their own cluster without touching any other customer.

Tamper-evident ledger

Every posted journal entry stores a 32-byte SHA-256 hash chained from the previous entry's hash. At period close, we compute the Merkle root over the period's entry hashes, sign it with an HSM-backed key in AWS KMS (Frankfurt, FIPS 140-3 Level 3), and anchor the signed root in WORM-locked object storage. We ship a stand-alone verifier CLI that an auditor can run independently to re-derive the chain and verify the period anchor — no DBA can rewrite history without the verifier catching it.

Compliance path, not just claims

SOC 2 Type I targeted within 6 months of GA; Type II within 12 months. Evidence collection runs from day one via Vanta. We hold to PCI SAQ A — card data never traverses our infrastructure. MFA-by-default for all users; SAML/OIDC + SCIM 2.0 on the Firm plan.

What we don't claim

• We do not file payroll taxes. Payroll is data + workflow; filing happens through a partner.
• We do not file 1099s for you. We produce the data and the IRS-format files; you (or your partner) file.
• We are not a card processor. All giving and AP card flows tokenize through Stripe.
• We are not HIPAA-covered today. Track this if benevolence/counseling notes become material to you.