How We Protect Your Data

• At rest: All OAuth tokens and sensitive credentials are encrypted with AES-256-GCM via Lockbox. Database columns containing tokens are never stored in plaintext.
• In transit: All connections use TLS 1.3. HTTPS is enforced on every endpoint.
• Backups: Database backups are encrypted and stored on DigitalOcean Managed Databases with automatic failover.

• OAuth 2.0: We connect to Clover, QuickBooks, Square, and other services via OAuth 2.0. We never see or store your POS or accounting passwords.
• Token handling: Access tokens are automatically refreshed before expiry. Refresh tokens are encrypted at rest.
• Session management: Sessions are server-side with secure, httponly cookies. Users can view and terminate active sessions.

• We only sync daily sales totals by category and payment method. We never access or store individual transaction details, customer information, or payment card numbers.
• POS data is read-only. We never modify your POS system.
• Accounting data is append-only. We create journal entries but never delete or modify existing records.

SalesToBooks has passed Intuit's security review process and is approved on the QuickBooks Online App Store. This includes verification of our OAuth implementation, data handling practices, and API usage patterns.

• Hosting: Hetzner Cloud (Germany/Finland) with automatic failover.
• CDN & DDoS: Cloudflare for DNS, DDoS protection, and edge caching.
• Database: DigitalOcean Managed PostgreSQL with automatic backups, standby nodes, and encrypted connections.
• Monitoring: Real-time error tracking with automatic developer assignment for sync failures.

• Sync reports are retained for the lifetime of your account.
• When you disconnect a service, tokens are immediately destroyed.
• When you delete your account, all associated data is permanently removed within 30 days.
• You can request a full data export at any time by contacting support.