Security & data handling
ReconcileIQ touches your accounts receivable, so you deserve specifics rather than a badge wall. Here is exactly what we access, where it lives, and who processes it — in plain language.
How ReconcileIQ connects to QuickBooks
ReconcileIQ connects to QuickBooks Online through Intuit’s official OAuth 2.0 flow. We never see or store your QuickBooks password. The connection is scoped to accounting data: we read your open invoices, customers, and credit memos, and we create payment records against them.
- Read: open invoices, customer names, credit memos — what’s needed to match a remittance.
- Write: payment records posted to Undeposited Funds. ReconcileIQ never initiates, moves, or holds funds — it records payments you’ve already received.
- Revocable: you can disconnect ReconcileIQ at any time from your Intuit account settings or from inside the app. Revocation takes effect immediately.
Encryption
All traffic between your browser, our application, QuickBooks, and our subprocessors is encrypted in transit with TLS 1.2+. Data at rest — including remittance documents, extracted payment data, and OAuth tokens — is stored in Supabase (PostgreSQL on AWS) with AES-256 encryption at rest. QuickBooks OAuth tokens are additionally restricted so only backend service processes can read them; they are never exposed to the browser.
AI processing — no training on your data
Remittance documents are processed by Anthropic’s Claude API (extraction and match scoring) and, for scanned images, Google Cloud Vision (OCR). These calls are made under commercial API terms: your data is not used to train AI models — not by us, and not by our AI vendors under the API terms we operate on. Documents are sent for processing, results come back, and the vendors do not retain your content for model improvement.
Subprocessors
We keep this list short on purpose. Every vendor below is under terms consistent with this page.
| Subprocessor | Purpose | Data touched | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, payment & invoice records, remittance documents | United States (AWS) |
| Anthropic (Claude API) | AI remittance extraction and match scoring | Remittance document contents, invoice numbers and amounts | United States |
| Google Cloud Vision | OCR for scanned checks and image-based PDFs | Document images submitted for text extraction | United States |
| Stripe | Subscription billing | Billing name, email, payment card (held by Stripe, never by us) | United States |
| Vercel | Application hosting and delivery | Request metadata, application content in transit | United States |
| PostmarkPlanned | Transactional email (notifications, digests) | Email address, notification content | United States |
Data retention & deletion
Remittance documents and extracted payment data are retained while your account is active — they are your audit trail, and the matching engine uses history to get smarter about your customers’ habits. When you close your account, we delete your customer content within 30 days of a written request to kyle@foxtrove.ai, except records we’re legally required to keep (for example, billing records). Disconnecting QuickBooks revokes our access immediately without deleting your ReconcileIQ history.
Access controls & audit trail
Access inside ReconcileIQ is account-scoped: your team sees only your company’s data, enforced at the database layer. Every consequential action — each auto-post, each exception resolution, each deposit — is written to an append-only audit log that cannot be edited or deleted, by you or by us. If an auditor asks why a payment was applied a certain way, the answer is one query away.
Compliance roadmap Roadmap — not yet certified
We are early, and we’d rather say so than imply otherwise. On the roadmap, in order: a SOC 2 Type I examination, followed by Type II; third-party penetration testing; and a formal data processing addendum for customers who need one. None of these are complete today. If your purchasing process requires specific documentation, email us — we’ll tell you honestly where each item stands.
Security questions or disclosures
Found a vulnerability, or need security details for vendor review? Email kyle@foxtrove.ai. A human reads it the same day.