DepreciationPro
Login Start Free Trial

Security & Data Protection

Specific, verifiable controls protecting your client data. Built for CPA compliance review.

SOC 2 Controls Implemented
TLS 1.2+ Encryption
3,000+ Automated Tests
51 Jurisdiction Coverage

Encryption

All data encrypted in transit using TLS 1.2+ with HSTS enforcement. Encrypted at rest using AES-256 via Azure Database for PostgreSQL.

  • HTTPS enforced on all connections with HSTS preload
  • AES-256 encryption at rest via Azure Database for PostgreSQL
  • Encrypted database backups with point-in-time recovery

Authentication & Access

Multi-layered authentication with breach detection, session management, and automated lockout protects access to your account.

  • Strong password requirements (8+ characters, mixed case, numbers, special characters)
  • HIBP (HaveIBeenPwned) password breach detection on registration and password changes
  • 30-minute inactivity timeout with sliding session expiration
  • Rate limiting on authentication endpoints (login, signup, password reset)
  • Google SSO integration for passwordless access

Security Headers

Industry-standard security headers protect against common web attacks and enforce secure browsing policies.

  • Content Security Policy (CSP) preventing cross-site scripting (XSS)
  • HTTP Strict Transport Security (HSTS) enforcing HTTPS on all requests
  • X-Frame-Options preventing clickjacking attacks
  • X-Content-Type-Options preventing MIME type sniffing

Audit & Logging

SOC 2 controls implemented for access logging. Every authentication event and data change tracked with full attribution.

  • Login and logout events logged with user ID, IP address, and timestamp
  • Field-level change tracking with before and after values
  • Permission and role changes tracked with user attribution
  • Session management with forced logout capability
  • Immutable audit log -- entries cannot be modified or deleted

Data Isolation

Multi-tenant architecture with firm-level data isolation at the database query level. No firm can access another firm's data.

  • Firm-level data isolation enforced at the database query level (FirmId on every data entity)
  • Role-based access control: Admin and Reviewer roles
  • User-level activity tracking with IP capture

Infrastructure

Hosted on Microsoft Azure with managed PostgreSQL, automated backups, and continuous monitoring.

  • Azure Database for PostgreSQL with automated daily backups
  • Point-in-time restore capability (up to 35 days)
  • 24/7 monitoring with automated alerting
  • 1-hour recovery time objective (RTO)

Your Data Rights

Your data belongs to you. Export it anytime, request deletion, and know that it's never shared or sold.

  • Full firm data export as ZIP (all assets, reports, depreciation schedules)
  • Account deletion with PII anonymization and 7-day grace period
  • No data sold to third parties -- ever
  • Read-only data access preserved after subscription ends

Security Questions?

Contact our team at security@depreciationpro.com for security-related inquiries.

Privacy Policy Terms of Service Start Free Trial