Home › Security

Security overview

Your customer data and your books. We treat both accordingly.

Tormano connects to your accounting system, which means security isn't a feature — it's the precondition for the whole product. This page lists the concrete controls in place today, not aspirations.

Application security

Modern password hashing

Passwords are hashed with argon2id, the current OWASP-recommended algorithm — never stored, never recoverable, not even by us.

Two-factor authentication

TOTP-based two-factor authentication works with any standard authenticator app. Business and Professional plans add SSO via SAML.

Role & field permissions

Role-based access control on every plan, with field-level permissions on top tiers — sensitive fields can be hidden from entire roles.

Tenant isolation

Every query is scoped to your organization. Cross-tenant access is blocked at the application layer, not by convention.

Rate limiting

Authentication endpoints and APIs are rate-limited to blunt credential-stuffing and brute-force attempts.

Hardened headers

HTTPS everywhere with HSTS preload, a Content-Security-Policy, and clickjacking protection via X-Frame-Options.

Data protection

Encryption in transit

All traffic is TLS-encrypted, including between Tormano and QuickBooks, Stripe, and every connected integration.

Encrypted credentials

Third-party integration tokens — QuickBooks, Xero, and the rest — are encrypted at rest with AES-256 before they ever touch the database.

Card data never lands here

Payments run on Stripe. Card numbers are entered into Stripe-hosted fields and never pass through or persist on Tormano's servers.

Tamper-proof audit trail

The audit log is immutable at the database level — entries cannot be edited or deleted by anyone, including organization owners.

U.S. hosting

Production runs in a data center in Ashburn, Virginia, in the United States.

Privacy tooling

Data export and deletion tooling supports GDPR and CCPA requests. Our DPA, subprocessor list, and privacy policy are public.

Backups & continuity

Database write-ahead logs are archived every five minutes for point-in-time recovery. Full backups run nightly, are GPG-encrypted client-side, and are copied to independent offsite storage. And because a backup you've never restored is a hope rather than a plan, an automated job restores and verifies a backup every week.

Responsible disclosure

Found a vulnerability? We want to hear about it — quietly and quickly. Email security@tormano.com and we'll respond promptly. Our disclosure details are published at /.well-known/security.txt. We ask that you give us reasonable time to fix an issue before public disclosure, and we won't pursue good-faith research.

Questions about any control on this page? Ask us directly — specific answers, not marketing.

See Tormano with your own data.

14-day free trial, every feature unlocked. Connect QuickBooks, import your records, and judge it on your real workflows.

Card required. Cancel anytime in settings before day 14.