Trust

Security & data handling

How Cutovr protects your firm's files, QuickBooks tokens, and clients' data. Last updated: 2026.

Encryption at rest

• Uploaded PCLaw files are encrypted with AES-256 immediately after upload. The unencrypted copy is removed from the server.
• Your QuickBooks connection tokens are encrypted with the same standard before being saved.
• Any intermediate files we generate during a migration are encrypted with the same standard.

QuickBooks access via OAuth — we never see your QuickBooks password

• You sign in to QuickBooks directly with Intuit. Cutovr never sees, stores, or transmits your QuickBooks Online password.
• Intuit issues an access token to Cutovr only after you grant consent on Intuit's pages.
• You can disconnect Cutovr from inside QuickBooks (Apps → Connected apps) at any time, which immediately invalidates the token.

Least-necessary data access

• We request the single QuickBooks scope needed for the import: com.intuit.quickbooks.accounting.
• The app reads your chart of accounts to match against PCLaw, looks up customers and vendors to attach to A/R and A/P lines, and creates JournalEntry records you initiate.
• We do not read payroll data, banking transactions, or any other QuickBooks data that isn't required to fulfill the import.

Audit logging

• Every sign-in, upload, QuickBooks connect/disconnect, import, and reversal is recorded in a per-firm audit log with timestamp and actor.
• Failed login attempts, rate-limit hits, and password reset events are logged so you can review unusual activity.
• OAuth token rotations are logged. Intuit transaction ids (intuit_tid) on any failing API call are captured so Intuit support can trace the request without the customer sharing sensitive content.

We do not currently publish SOC 2 or other formal compliance reports. If your firm needs a written security questionnaire response, contact security@cutovr.com.

Reversible imports

• Every import can be reversed in one click. Reversals post offsetting journal entries to QuickBooks, which QuickBooks treats as fully auditable activity rather than silently voiding records.
• Duplicate imports of the same file are blocked by file hash before anything is posted.
• Pre-flight checks validate balance, account mapping, and required columns before posting.

Account security

• Passwords are hashed with industry-standard algorithms; we never store plaintext passwords.
• Login, password reset, and signup are rate-limited to slow down credential-stuffing and account-creation abuse.
• Sessions are HTTP-only and HTTPS-only cookies in production. CSRF protection is enforced on every state-changing request.

Hosting & sub-processors

Cutovr runs on Render (US region). The only required sub-processor for migrations is Intuit's QuickBooks Online API. We may use a transactional email provider for password-reset and support correspondence. No other sub-processor receives uploaded ledger files or QuickBooks tokens. See the Privacy Policy for more.

Reporting a security issue

Please report suspected security issues to security@cutovr.com. Include a short reproduction, the approximate time, and any URLs involved. We acknowledge within two business days and will not pursue legal action against good-faith research that follows responsible disclosure norms (no data exfiltration, no service degradation, no targeting of other customers).

We deliberately avoid overclaiming. The statements above describe what Cutovr does today — they are not a substitute for a formal audit, certification, or contractual security commitment. If you need additional assurances for a procurement review, contact security@cutovr.com.