Security & Trust

Last updated: 10 June 2026

Accwisely generates Singapore-format draft financial statements from the trial balances you upload. We know that data is sensitive — it belongs to your clients, and your clients' auditors will ask how it is handled. This page sets out, in plain terms, how we host, protect, and retain your data, and who else is involved in delivering the service. If you need more detail for a vendor risk assessment, our Data Processing Addendum and Privacy Policy go further, and you can reach us at the contact below.

Hosting & data residency

Your database, authentication, and uploaded files are hosted on Supabase (managed PostgreSQL) in a Singapore region. The web application is served through Vercel's global edge network, and the application programming interface runs on Railway. Domain, content delivery, and email routing are handled by Cloudflare.

Your primary records (trial balances and draft financial statements) reside in Singapore. Some sub-processors operate globally distributed infrastructure, so limited processing (for example, content delivery or error diagnostics) may occur outside Singapore. Any such cross-border processing is subject to the protections described in our Data Processing Addendum, consistent with section 26 of the Personal Data Protection Act 2012 (PDPA).

Encryption

• In transit: all traffic is served over HTTPS (TLS 1.2 or higher), with HTTP Strict Transport Security enabled.
• At rest: databases and file storage are encrypted at rest by our hosting provider.
• Credentials: account passwords are salted and hashed by our authentication provider — we never store or see them in plaintext.

Access control & authentication

• Tenant isolation: access to your data is enforced at the database layer through row-level security, so members of one firm cannot read or modify another firm's records.
• Authentication: access to the application uses short-lived, signed session tokens issued by our authentication provider.
• Administrative access: internal administrative access is limited to authorised personnel on a need-to-know basis, and two-factor authentication is enabled on our critical infrastructure accounts (source control and domain/DNS).
• Least privilege: application components hold only the permissions they need to operate.

Sub-processors

We engage the following sub-processors to deliver the service. We give customers reasonable advance notice (where practicable, at least 30 days) before adding a new sub-processor that processes customer personal data. Each provider maintains its own security and data-protection documentation.

Provider	Purpose	Region
Supabase	Database, authentication, and file storage	Singapore
Vercel	Web application hosting & content delivery	Global edge
Railway	Application programming interface hosting	Regional
Cloudflare	DNS, content delivery, and email routing	Global
Stripe	Payments — checkout and subscription billing. Card details are handled entirely by Stripe; we never see or store them.	Global
Resend	Transactional email delivery (account, billing, and notification emails)	Global
Sentry	Error monitoring (diagnostic metadata only; sensitive values are scrubbed)	Global
PostHog	Product analytics — anonymised usage events and page views to understand and improve the Service. Loaded only after you accept analytics cookies; the financial data you upload is never sent.	European Union
GitHub	Source-code management (does not process customer financial data)	Global
Anthropic	AI invoice drafting in the AR & Invoicing feature — extracts invoice details and classifies intent from your messages and photos (Claude). Monetary figures are computed by our own code, not by the model.	Global
OpenAI	Voice-note transcription in the AR & Invoicing feature — spoken invoice messages are transcribed to text (Whisper). Used only when you send a voice note.	Global

A current copy of this list is always available here and on request.

Data retention & deletion

We follow a data-minimisation principle: we do not keep client trial balances longer than needed. Trial balances and draft financial statements are automatically deleted 90 days after a client record becomes inactive, unless you explicitly mark that client to be retained. You can request deletion of your data at any time, and your data is removed on account closure in line with our Data Processing Addendum. De-identified or aggregated data may be retained for service-improvement purposes.

Incident response & breach notification

We monitor the service for errors and anomalies and maintain an internal incident-response procedure. In the event of a data breach affecting your data, we will notify affected customers without undue delay and, in any event, within 72 hours of becoming aware, including the nature of the incident and the steps taken to address it. Where the PDPA requires it, we will support notification to the Personal Data Protection Commission.

Compliance & your rights

Accwisely is built for the Singapore Personal Data Protection Act 2012 (PDPA). When you process your clients' data through Accwisely, you act as the data controller and we act as your data intermediary (processor). Our Data Processing Addendum sets out the controller–processor terms, and our Privacy Policy explains what we collect and why.

Please note: Accwisely produces a draft for review by a qualified professional. It is a software tool and is not a certified, endorsed, or regulated product, and nothing on this page should be read as a representation of endorsement by ACRA, the PDPC, or any standards body.

Data-protection contact

For privacy questions, data-subject requests, or a vendor security questionnaire, contact our data-protection contact at info@accwisely.com.

Reporting a vulnerability

If you believe you have found a security vulnerability, please email info@accwisely.com with the details. We appreciate responsible disclosure and will acknowledge your report.