Back to Home

Data Protection & Security

Last updated: June 2026

At SyncBooks, security isn't an afterthought — it's foundational to everything we build. Your financial data deserves the highest level of protection, and we deliver enterprise-grade security across every layer of our platform.

AES-256 Encryption
GRA Compliant

1. Data Encryption

1.1 Encryption at Rest

All sensitive data stored in our databases is encrypted using industry-standard algorithms:

  • AES-256-CBC: Used for highly sensitive fields including API keys, bank account numbers, OAuth tokens, and payment credentials
  • bcrypt (cost factor 12): All user passwords are hashed with bcrypt — never stored in plaintext
  • Database-level encryption: MongoDB Atlas provides transparent storage encryption using AES-256
  • Backup encryption: All database backups are encrypted before storage

1.2 Encryption in Transit

  • TLS 1.3: All data transmitted between your browser and our servers is encrypted with TLS 1.3
  • HTTPS enforced: HTTP connections are automatically redirected to HTTPS
  • Certificate pinning: API clients validate our SSL certificate chain
  • Internal encryption: Service-to-service communication within our infrastructure uses mutual TLS

1.3 Key Management

  • Encryption keys are stored separately from the data they protect
  • Keys are rotated on a regular schedule
  • Access to key material is restricted to critical system processes only

2. Access Controls

2.1 Authentication

  • Multi-factor Authentication (2FA): TOTP-based two-factor authentication with app authenticators (Google Authenticator, Authy, etc.)
  • Trusted Devices: Users can mark devices as trusted to skip 2FA for 30 days
  • Passkeys (WebAuthn): Passwordless authentication using biometrics or hardware security keys
  • Magic Links: Secure, time-limited email-based login
  • OAuth 2.0: Google Sign-In with verified email domains
  • Session Management: JWT tokens with short expiry (1 hour access, 7 days refresh) and automatic rotation
  • Brute Force Protection: Account lockout after 5 failed attempts with progressive delays

2.2 Authorization (RBAC)

SyncBooks implements granular role-based access control (RBAC):

  • Owner: Full platform access, billing, user management
  • Admin: Organization-wide settings and all modules
  • Manager: Department-specific oversight with approval authority
  • Accountant: Financial data access without administrative privileges
  • Cashier: POS-only access with transaction limits
  • Staff: Limited access to assigned modules only
  • Viewer: Read-only access to reports and dashboards

Each role includes fine-grained permissions (view, create, edit, delete, approve) per module. Custom permission sets can be configured per organization.

2.3 API Security

  • API keys are encrypted at rest and scoped per organization
  • Rate limiting: 100 requests/minute for standard plans, 500/minute for enterprise
  • IP allowlisting available for enterprise accounts
  • Webhook signatures use HMAC-SHA256 for payload verification
  • OAuth 2.0 with PKCE for third-party application integration

3. Infrastructure Security

3.1 Cloud Hosting

  • Platform: Hosted on AWS and Vercel with auto-scaling and geographic redundancy
  • Database: MongoDB Atlas (managed) with automated failover and point-in-time recovery
  • CDN: Global content delivery network for fast, secure asset delivery
  • DDoS Protection: Automatic DDoS mitigation at the network edge

3.2 Backups & Disaster Recovery

  • Continuous backups: Point-in-time recovery with 7-day retention for all plans
  • Daily snapshots: Full database snapshots retained for 30 days
  • Geographic redundancy: Backups stored in separate availability zones
  • Recovery Time Objective (RTO): <4 hours for full recovery
  • Recovery Point Objective (RPO): <1 hour data loss window
  • Disaster recovery testing: Quarterly failover exercises

3.3 Network Security

  • Web Application Firewall (WAF) protects against OWASP Top 10 vulnerabilities
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network segmentation between application tiers
  • Regular penetration testing by independent security firms

4. Monitoring & Audit Trails

  • Comprehensive audit logging: All user actions (login, data access, modifications, deletions) are logged with timestamps, IP addresses, and user IDs
  • Immutable audit trail: Audit logs cannot be modified or deleted by users
  • Real-time alerts: Suspicious activity triggers immediate notifications (failed logins, permission changes, bulk data exports)
  • Anomaly detection: AI-powered monitoring detects unusual patterns in financial transactions
  • Session tracking: Active sessions are visible to admins and can be revoked instantly
  • Login history: Full login history with device fingerprints, IP geolocation, and authentication method

5. Compliance

5.1 Ghana Data Protection Act (Act 843)

  • Registered with the Data Protection Commission of Ghana
  • Data Processing Agreement (DPA) available for all customers
  • Lawful basis established for all data processing activities
  • Data subject rights fully supported (access, rectification, erasure, portability)
  • Appointed Data Protection Officer (DPO) reachable at dpo@syncbooksapp.com

5.2 Ghana Revenue Authority (GRA) — Act 896

  • Financial records retained for mandatory 7-year period
  • Tax calculation compliant with Ghana VAT/NHIL/GETFund/COVID-19 levy rates
  • Invoice numbering meets GRA sequential requirements
  • Audit-ready reports exportable in GRA-accepted formats

5.3 GDPR (EU General Data Protection Regulation)

While SyncBooks is not yet formally GDPR-certified, our platform is designed with GDPR principles in mind:

  • Standard Contractual Clauses (SCCs) for international data transfers
  • Right to erasure honored within 30 days (except legally required retention)
  • Data minimization principles applied across all features
  • Consent management for optional data processing

We are actively working toward full GDPR compliance certification. See "How We Plan to Achieve GDPR Compliance" below.

5.4 PCI-DSS Awareness

SyncBooks does not directly store credit card numbers. All payment processing is handled by PCI-DSS Level 1 certified payment processors (Paystack). We never have access to full card details.

6. Data Retention & Deletion

Data TypeRetention PeriodBasis
Financial records7 yearsGRA Act 896
User account dataActive + 14 days post-closureContract
AI conversationsUntil deleted / 14 days post-closureConsent
Audit logs2 years (active account)Legitimate interest
Session/access logs90 daysSecurity
Backups containing deleted data14 daysOperational

When you request account deletion, non-financial data is purged within 14 days. Financial records required by law are archived securely for the statutory period, then permanently destroyed. You can export all your data at any time in CSV, JSON, Excel, or PDF formats.

7. Incident Response

SyncBooks maintains a documented incident response plan that is tested regularly:

7.1 Response Timeline

  • Detection: Automated monitoring detects anomalies within minutes
  • Triage: Security team assesses severity within 1 hour
  • Containment: Immediate action to isolate affected systems
  • Notification: Affected users notified within 72 hours of confirmed breach (as required by GDPR and Act 843)
  • Resolution: Root cause analysis and remediation
  • Post-mortem: Published incident report for significant events

7.2 Breach Notification

In the unlikely event of a data breach, we will:

  • Notify the Data Protection Commission of Ghana within 72 hours
  • Notify affected users via email and in-app notification
  • Provide details of what data was affected and remediation steps
  • Offer identity monitoring services if personal data was compromised

8. Third-Party Sub-Processors

We carefully vet all third-party services that process your data:

ProviderPurposeLocation
MongoDB AtlasDatabase hostingUS / EU
AWSCloud infrastructure & storageUS / EU
VercelApplication hosting & CDNGlobal
OpenAIAI processing (no model training)US
PaystackPayment processing (PCI-DSS L1)Nigeria / Ghana
Redis (Upstash)Caching & rate limitingGlobal
Cloudflare TurnstileBot protectionGlobal

All sub-processors are bound by Data Processing Agreements (DPAs). We will notify you 30 days before adding new sub-processors that handle your personal data.

9. Responsible Disclosure

We welcome security researchers who help us keep SyncBooks safe. If you discover a vulnerability:

  • Email security@syncbooksapp.com with details
  • Include steps to reproduce the vulnerability
  • Allow us 90 days to address the issue before public disclosure
  • Do not access or modify other users' data during testing

We acknowledge reports within 48 hours and will not pursue legal action against researchers acting in good faith.

10. Your Security Checklist

Security is a shared responsibility. We recommend:

  • ✅ Enable Two-Factor Authentication (2FA) for all users
  • ✅ Use strong, unique passwords (16+ characters)
  • ✅ Review user permissions regularly and remove inactive users
  • ✅ Monitor the audit log for unexpected activity
  • ✅ Export backups periodically to your own storage
  • ✅ Use the approval workflow for high-value transactions
  • ✅ Keep your API keys confidential and rotate them periodically
  • ✅ Report suspicious activity immediately to your organization admin

11. Contact

For security-related inquiries:

Related: Privacy Policy · Terms of Service · Refund Policy