Security

Last updated: 25 March 2026

When you use CFO Pal, you are entrusting us with your financial data — one of your most valuable business assets. We treat this responsibility with the utmost seriousness.

1. You Own Your Data

We are custodians of your financial data, not owners. You retain full ownership of all data you upload, sync, or enter into CFO Pal. We access your data solely to provide the services you have subscribed to.

When you disconnect an accounting platform (Xero, QuickBooks, or Sage), we revoke and delete the associated OAuth access tokens, ensuring we can no longer access your data through that providers API. If you delete your account, all associated financial data is permanently removed within 30 days.

2. Infrastructure and Hosting

CFO Pal is built on industry-leading cloud infrastructure:

  • Database: Supabase, hosted in EU West (London, UK). Your financial data never leaves the EU. This ensures full compliance with UK GDPR data residency requirements.
  • Application hosting: Vercel, with edge deployment for fast, reliable access worldwide.
  • Payments: Stripe, a PCI DSS Level 1 certified payment processor. We never store your card details.

3. Encryption

All data is encrypted both in transit and at rest:

  • In transit: All communications between your browser and CFO Pal are encrypted using TLS 1.2+ (HTTPS). This is the same level of encryption used by banks and financial institutions.
  • At rest: Your financial data is encrypted at rest in our Supabase database using AES-256 encryption. OAuth tokens for connected accounting platforms are stored with additional encryption.

4. Access Controls

CFO Pal implements strict access controls at every level:

  • Row-Level Security (RLS): Every database table is protected by Supabase Row-Level Security policies. This means one user can never access another users financial data, even if a vulnerability were to exist at the application level.
  • Role-based team access: Account owners can invite team members with Read Only or Admin roles. Each role has strictly defined permissions controlling which data and features they can access.
  • Two-factor authentication (2FA): Users can enable TOTP-based two-factor authentication via authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) for an additional layer of login security.
  • Strong password enforcement: All passwords must meet minimum complexity requirements including length, uppercase, lowercase, numbers, and special characters.
  • Session management: Sessions are managed securely with automatic expiry. Inactive sessions are terminated automatically.

5. AI Data Processing

CFO Pal uses Claude by Anthropic to generate financial insights, weekly summaries, and alert messages. Your financial data is sent to Anthropics API for real-time processing. Important safeguards:

  • Anthropic does not store your financial data after processing the request.
  • Your data is not used to train AI models.
  • AI-generated insights are advisory only and should not replace professional accounting advice.
  • All API communications with Anthropic are encrypted in transit.

6. Third-Party Integrations

When you connect an accounting platform, CFO Pal uses the industry-standard OAuth 2.0 protocol. This means:

  • We never see or store your Xero, QuickBooks, or Sage password.
  • You authorise specific permissions directly with the provider.
  • You can revoke access at any time from your CFO Pal settings or from within the accounting platform itself.
  • Access tokens are automatically refreshed and stored securely with encryption.

7. Email and Notification Security

All emails sent by CFO Pal are authenticated using SPF, DKIM, and DMARC to prevent spoofing and ensure deliverability. Transactional emails are sent via Resend from our verified domain (cfopal.co.uk). SMS notifications are sent via Twilio using verified sender numbers.

8. Data Backup and Availability

Your data is backed up automatically by Supabase with point-in-time recovery. Backups are stored in geographically separate locations within the EU to ensure data durability. In the event of an infrastructure failure, your data can be recovered to any point in time.

9. Support Access

CFO Pal support staff can only access your financial data if you explicitly grant permission through the Support Access toggle in your Privacy settings. Access is consent-based, logged, and can be revoked at any time with immediate effect.

10. Security Is Ongoing

Security is not a one-time activity. We continuously review and improve our security practices, including regular dependency updates, vulnerability monitoring, and infrastructure hardening. We are committed to maintaining the highest standards of data protection for UK financial data.

11. How You Can Stay Protected

We recommend the following best practices:

  • Use a strong, unique password for your CFO Pal account.
  • Enable two-factor authentication (2FA) in Settings Security.
  • Do not share your login credentials with anyone. Use the Team Access feature to grant appropriate access to colleagues.
  • Keep your browser up to date.
  • Review connected integrations regularly and disconnect any you no longer need.

12. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately at hello@cfopal.co.uk. We take all reports seriously and will respond promptly.