Home › Security
Security overviewYour customer data and your books. We treat both accordingly.
Tormano connects to your accounting system, which means security isn't a feature — it's the precondition for the whole product. This page lists the concrete controls in place today, not aspirations.
Application security
Modern password hashing
Passwords are hashed with argon2id, the current OWASP-recommended algorithm — never stored, never recoverable, not even by us.
Two-factor authentication
TOTP-based two-factor authentication works with any standard authenticator app. Business and Professional plans add SSO via SAML.
Role & field permissions
Role-based access control on every plan, with field-level permissions on top tiers — sensitive fields can be hidden from entire roles.
Tenant isolation
Every query is scoped to your organization. Cross-tenant access is blocked at the application layer, not by convention.
Rate limiting
Authentication endpoints and APIs are rate-limited to blunt credential-stuffing and brute-force attempts.
Hardened headers
HTTPS everywhere with HSTS preload, a Content-Security-Policy, and clickjacking protection via X-Frame-Options.
Data protection
Encryption in transit
All traffic is TLS-encrypted, including between Tormano and QuickBooks, Stripe, and every connected integration.
Encrypted credentials
Third-party integration tokens — QuickBooks, Xero, and the rest — are encrypted at rest with AES-256 before they ever touch the database.
Card data never lands here
Payments run on Stripe. Card numbers are entered into Stripe-hosted fields and never pass through or persist on Tormano's servers.
Tamper-proof audit trail
The audit log is immutable at the database level — entries cannot be edited or deleted by anyone, including organization owners.
U.S. hosting
Production runs in a data center in Ashburn, Virginia, in the United States.
Privacy tooling
Data export and deletion tooling supports GDPR and CCPA requests. Our DPA, subprocessor list, and privacy policy are public.
Backups & continuity
Database write-ahead logs are archived every five minutes for point-in-time recovery. Full backups run nightly, are GPG-encrypted client-side, and are copied to independent offsite storage. And because a backup you've never restored is a hope rather than a plan, an automated job restores and verifies a backup every week.
Responsible disclosure
Found a vulnerability? We want to hear about it — quietly and quickly. Email security@tormano.com and we'll respond promptly. Our disclosure details are published at /.well-known/security.txt. We ask that you give us reasonable time to fix an issue before public disclosure, and we won't pursue good-faith research.
Questions about any control on this page? Ask us directly — specific answers, not marketing.
See Tormano with your own data.
14-day free trial, every feature unlocked. Connect QuickBooks, import your records, and judge it on your real workflows.
Card required. Cancel anytime in settings before day 14.