Your financial data.
Every decimal accounted for.
This is Ledger's complete privacy policy — written for the small business owner who just handed over their QuickBooks credentials, not for a compliance team. Explore it by topic, not by page.
We know what we hold.
So should you.
Every data point we hold on your business is documented here — in plain English, not legalese. Click any card to expand the full policy.
What We Collect
We collect only what your engagement requires — no passive harvesting, no behavioral advertising pools.
When you engage Ledger for accounting services, we collect the financial documents, credentials, and business data you provide directly. This includes tax filings, bank statements, payroll records, and accounting software access. We do not purchase data from third parties or build advertising profiles.
Who Else Sees It
Your data is shared only with parties required to deliver your services — never sold, never traded.
We share your information with a narrow set of service providers bound by strict data processing agreements. These include our cloud infrastructure provider (AWS GovCloud), our encrypted document management system, and the IRS or state tax authorities when filing on your behalf.
How Long We Keep It
Retention follows IRS and state requirements — not convenience. Everything past its window is purged on schedule.
Federal tax records are retained for 7 years per IRS guidance. Payroll records are held for 4 years. Engagement correspondence is retained for 3 years post-engagement. All data past its retention window is cryptographically wiped from our systems within 30 days of the expiration date.
Where It Lives
All client data resides in US-based, FedRAMP-authorized infrastructure. Nothing crosses international borders.
We use AWS GovCloud (US-East-1 and US-West-2 for redundancy). Your data never leaves US jurisdiction. Our servers are FedRAMP Moderate authorized and SOC 2 Type 2 certified. Physical access requires biometric authentication and 24/7 security personnel.
Your data map, documented.
Every pathway your financial data travels through Ledger's systems — from your upload to authorized filing. No undocumented routes.
Audited, certified, and
documented in full.
These aren't aspirational badges. Each represents a completed audit, an active certification, or an ongoing technical control.
SOC 2 Type 2
Annual audit by independent PCAOB-registered firm. Report available to clients on request.
GLBA Safeguards
Full compliance with Gramm-Leach-Bliley Act including 2023 amended safeguards rule.
IRS Pub. 4557
All 12 required data security safeguards implemented and documented for tax preparers.
AES-256 Encryption
NIST-recommended encryption standard applied to all data at rest and in transit.
FedRAMP Moderate
AWS GovCloud infrastructure meets FedRAMP Moderate authorization requirements.
Annual Pen Test
Independent third-party penetration testing conducted annually. No critical findings in 4 years.
Compliance reports are available to clients on request. Email compliance@ledger.cpa with your engagement ID. SOC 2 report, pen test executive summary, and GLBA safeguards documentation will be delivered within 2 business days.