Reach Reporting Security Policy
Reach Reporting is a cloud application used by small businesses, bookkeepers, and accountants to visualize their financial data. We protect financial data by applying security controls at every layer from physical to application. We only have read-only access to your financial data. We do not write to or modify any of your financial data within QuickBooks Online or Desktop.
Our software and your financial data that we use are stored using Amazon Web Services. Amazon continually undergoes security assessments and maintains many certifications to ensure the security of their data centers.
Amazon Web Services maintains compliance under the following standards:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Reach Reporting utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
To learn more about the security of Amazon Web Services see: https://aws.amazon.com/security
We use the PCI compliant payment processor Stripe to encrypt credit card numbers and process payments. Stripe is PCI Level 1 compliant, and has been audited by an external auditor to ensure compliance. This is the highest level of compliance available in the payment industry.
From their website, “All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).”
Our software undergoes an annual security audit directly through Intuit. The audit includes penetration testing and vulnerability assessments by a third party security firm.
We maintain policies within our company to ensure that your data stays secure. The few employees with access to sensitive data use a 2-factor secured system that requires a hardware token to access.