Security & Data Protection

AccountKits approach to protecting our systems and your data.

Our commitment to you and the protection of your data.

Protecting our customer's data (and your clients data) is of utmost importance to us all here at AccountKit.  Below you can see the detail behind why you can feel comfortable that we're applying modern industry standards and best practices for application security.

ISO 27001 security standard compliance

AccountKit is independantly certified as compliant with ISO/IEC 27001:2013, the leading global information security management system (ISMS) standard.

If you would like a copy of the certificate as part of your evaluation process, please reach out to 


AU1558-YC Certification Mark - Resize

User Authentication & Permissions

Multi-factor Authentication 

AccountKit has 2FA set as mandatory for all customers. They have a number of options available to them including Authenticator Apps, Sign in with Xero, security questions and SMS confirmation - by default, security questions and SMS confirmation are disabled.

Which 2FA options and whether Sign in with Xero is enforced can be set on a per tenant basis along with minimum password requirements - by default it's set to 14 characters utilisings numeric and symbols.

User Permissions

In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.

Other Options

Tenants also have the ability to whitelist IP addresses as well, further strengthening where users are able to access their client information.

Architecture & Hosting

Our Infrastructure

AccountKit is built within the Outsystems environment, which is hosted with AWS. Outsystems is utilised globally to service all business sectors, including government and the armed forces. This means they are put through rigorous security testing to get the stamp of approval. This partnership gives us the confidence that the underlying systems are extremely robust ensuring high availability, data redundancy, and government-grade security. 

See here for more information on Outsystems and here for more information on AWS and their stance on security.

All AccountKit data is stored in Amazon’s AWS data centre in Sydney (which will expand to other regions in time) including their disaster recovery sites. AWS is ISO27001 compliant and provides inbuilt, offsite backups, multiple sites synchronisation and disaster recovery.


Logging & Alerts

AccountKit is continually monitored for downtime, errors and access. Logs are maintained for analysis and debugging. Critical alerts are flagged with our engineering team immediately.


Backups & Disaster Recovery

Regular backups are distributed across several physical locations. Both files (not your DMS files) and database can be restored to a specific point in time over the last 14 days, or a full recovery can be initiated from a snapshot.

Our backup and recovery procedure ensures a minimum disruption of service in the event of a total failure.

Data Security

Encryption in Transit and at Rest

By default, communication with our services uses Transport Layer Security (TLS), which is regularly updated to use the latest fully adopted ciphersuites and TLS configurations. We currently support from TLS1.2 onwards.

Additionally we encrypt all customer data  and associated access token at rest using AES 256. User passwords and security questions are hashed using a SHA512 algorithm.

Comprehensive system controls have been implemented to prevent cross-site scripting and SQL injection attacks. This ensures your information is safe while in use by the FYI client applications or sitting idle on our servers.


Penetration Testing

AccountKit undergoes regular penetration testing by an independent global consultant to identify and eliminate any potential security weaknesses.


Administrative Data Access

Access to production databases and tenant subscriptions is strictly controlled and limited to users with a need to access production data for customer support or problem resolution. 


Data Centres

Our infrastructure is provided by Outsystems and Amazon Web Services (AWS), an industry-standard in hosting. Like us, they treat security as a top priority. You can read about their security stance here.

Other Important Information

Data Ownership

Your practice retains complete ownership rights of the content you upload to AccountKit. If you wish to cease using AccountKit and end your subscription, you can export your schedules to excel and PDF.

Note that we don't store any of your actual documents within AccountKit - for our Document Management System (DMS) integration is simply a skin over your pre-existing file storage system (eg. Sharepoint, Google Drive etc).


Vendor Management

All vendors (including contractors, integrations) go through a rigerous due diligence review prior to engagement ensuring they share the same priority when it comes to security and our client data. The depth of the review depends on the type of data we are exchanging which in turn determines the depth of the risk analysis.