arveoarveo
Trust & security

Built for the security questionnaire on day one.

Arveo handles financial data for accounting firms. Security is not a feature — it's the foundation. Below is the full picture of where we are today and where we are heading. We update this page quarterly.

IN PROGRESSSOC 2 Type 1· Q3 2026 target
LIVEGDPR / CCPA aligned
PASSEDIntuit App Store security review
Controls

Six control families. Every item, status-tagged.

Each control is tagged LIVE, IN PROGRESS, or PLANNED with a target. No marketing-speak.

Encryption

  • TLS 1.3 in transit
    LIVE
  • AES-256 at rest (database)
    LIVE
  • Customer-managed keys
    Q1 2027
    PLANNED

Access controls

  • Row-level isolation per firm and per client
    LIVE
  • Role-based access (Owner / Lead / Staff / Client)
    LIVE
  • MFA enforced for all firm users
    LIVE
  • SSO via SAML
    Q4 2026
    PLANNED

Audit & logging

  • Immutable audit log on every sensitive action
    LIVE
  • Audit log export (CSV / JSON)
    LIVE
  • SIEM forwarding
    Q4 2026
    PLANNED

Vulnerability management

  • Dependabot + Snyk scanning
    LIVE
  • Annual third-party penetration test
    Q3 2026
    IN PROGRESS
  • Public bug bounty program
    2027
    PLANNED

Incident response

  • 24-hour breach notification SLA
    LIVE
  • Documented runbook with on-call rotation
    IN PROGRESS
  • Post-mortem published within 7 days
    LIVE

Vendor management

  • Vendor register maintained
    LIVE
  • DPAs with all sub-processors
    LIVE
  • Annual vendor risk review
    IN PROGRESS
Compliance roadmap

Where we are. Where we're heading.

Q2 2026
  • Trust page live
  • CAIQ-Lite published
  • WISP signed
Q3 2026
  • SOC 2 Type 1 audit
  • Intuit App Store security review
  • Third-party penetration test
Q4 2026
  • SOC 2 Type 2 observation period begins
  • SAML SSO ships
Q1 2027
  • SOC 2 Type 2 issued
  • ISO 27001 scoping
2027+
  • ISO 27001 certified
  • Bug bounty program
  • Customer-managed keys
Data handling

How your data flows through Arveo.

Stays in QuickBooks

All client transactions, chart of accounts, vendors, customers — Arveo is a processor, not a controller. Your client owns their data, in their QBO account.

Stored in Arveo

Confidence scores, learned mappings, knowledge base content, audit log entries, anomaly flags. Encrypted at rest, isolated by row-level security.

Sent to Anthropic (sub-processor)

Transaction descriptions, vendor names, amounts — for AI categorization. No PII beyond what is necessary. Anthropic does not train on inputs per the enterprise agreement.

Never leaves Arveo

Client identifiers, firm identifiers, account credentials, OAuth tokens (encrypted with a separate key).

Isolation guarantee

Cross-tenant isolation, enforced at the database.

Cross-firm

Zero pathway. Firm A's transactions, vendor patterns, learned mappings, and AI behavior are invisible to Firm B at the database row level.

Same firm, cross-client

Client transactions, knowledge base entries, and learned mappings are scoped to one client. The only thing shared at the firm level is the firm's rule library — and rules contain only patterns, not client-specific data.

Global

Only static seed industry rules (e.g. "Home Depot → Job Materials") and static industry guides — Arveo-authored, never derived from customer data.

Sub-processors

The vendors that touch your data.

Sub-processorPurposeLocationDPA
SupabaseDatabase + authUS
VercelHostingUS
AnthropicAI inferenceUS
IntuitQBO syncUS
PlaidBank connectionsUS
ResendTransactional emailUS

We notify customers 30 days before adding a new sub-processor.

Document requests

Need something for your security review?

Reach out and we'll send the right documents within one business day.

Request a security review callEmail security team

Available on request: CAIQ-Lite, Privacy Policy, DPA template, Sub-processor list.