Security overview
Last updated: January 1, 2026
How we protect client data
We treat client financial data with the same care a custodian treats client funds. The summary below describes our practices in plain terms; clients with formal vendor-security questionnaires can request our detailed responses.
Data location
Client books live in established cloud accounting platforms (QuickBooks Online, Xero, NetSuite) under client ownership. We are an authorized user, not the owner of the data file.
Authentication
We require multi-factor authentication on every account our staff uses to access client systems. Single sign-on is enforced for our internal tooling. Shared logins are prohibited.
Endpoint controls
Staff devices have full-disk encryption, screen-lock policies, password managers, and managed antivirus. Lost-device protocols include immediate credential rotation.
Access
Access to client data is limited to staff working on that engagement. Off-engagement staff do not have client-data access. Access is reviewed quarterly.
Document handling
Sensitive documents (tax returns, ID copies, bank documents) are exchanged through encrypted client portals, not email. We retain documents for the period required by professional standards and tax recordkeeping rules, then destroy them.
Incidents
If we discover an incident affecting client data, we notify affected clients promptly. We do not bury security events.
What we do not claim
We are not SOC 2 audited as a firm. We do not represent that our processes meet any specific certification. We are happy to walk through our controls in detail with clients who need to satisfy their own diligence.
Contact
Security questions: info@worthitconsulting.com.