Outbooks US: Protecting Your Financial Data

At Outbooks, we deliver outsourced bookkeeping, accounting, payroll, tax preparation, and audit support services to U.S. accounting firms and businesses. Financial data is at the core of every engagement, and protecting it is at the core of everything we do.

Security is not an add-on. It is embedded into every process, system, and infrastructure layer we operate. This document outlines how Outbooks safeguards client financial information against unauthorized access, breaches, misuse, and operational disruption.

Our Information Security Framework

Outbooks operates an Information Security Management System (ISMS) aligned with the ISO/IEC 27001:2022 standard, one of the most rigorous and internationally recognized frameworks for information security management.

Our ISMS ensures:

  • Structured, documented risk assessment and mitigation
  • Continuous monitoring, testing, and improvement of security controls
  • Clearly defined access controls based on role and data sensitivity
  • Protection of the confidentiality, integrity, and availability of all client data

Security controls are proportionate to the sensitivity of the data and the level of operational risk involved.

Regulatory Compliance

As an outsourced accounting and bookkeeping provider serving U.S. firms, Outbooks aligns its data security practices with applicable federal and state regulations, including:

  • Federal and state-level data protection laws
  • U.S. data breach notification requirements
  • IRS Publication 4557 (Safeguarding Taxpayer Data), including maintenance of a written information security plan and regular risk assessments
  • SOC 2-aligned security practices
  • Client contractual confidentiality and data handling obligations

Outbooks maintains a documented Written Information Security Plan (WISP) and conducts formal risk assessments on a regular basis to ensure ongoing compliance.

Secure Cloud Infrastructure

  • All client data is stored and transmitted using enterprise-grade, secure platforms, including:
  • AWS (Amazon Web Services) infrastructure with industry-standard security configurations
  • Encrypted cloud-based document management systems
  • Secure file transfer protocols for all data exchange

Online Security Controls

Outbooks maintains multiple layered cybersecurity protections across its network, endpoints, and authentication systems.

Network Protection

  • Enterprise-grade firewalls
  • Encrypted VPN tunnels for all remote access
  • Network segmentation to isolate sensitive environments
  • Intrusion prevention and detection systems

Endpoint Protection

  • Centrally managed antivirus and endpoint security software
  • Routine patch management and system updates
  • Real-time threat monitoring and alerting

Data Loss Prevention (DLP)

  • Controlled and audited data movement policies
  • Restricted and monitored external data transfer
  • Detection and alerting for abnormal file access behaviour

Secure Authentication

  • Unique user credentials (no shared accounts)
  • Role-based access control (RBAC), with access limited to what is needed
  • Multi-factor authentication (MFA) required for all system access
  • Automatic account lockout after repeated failed login attempts

Access is provisioned strictly on a project-need basis and reviewed periodically to ensure it remains appropriate.

Physical Infrastructure Security

Client data is processed within secure, controlled office environments supported by physical safeguards.

Office Security

  • 24/7 CCTV monitoring across all operational areas
  • Controlled entry access with credential verification
  • Visitor logging and escort procedures
  • Restricted access to operational floors handling client data

Workstation Controls

  • Removable storage devices (USB drives, external media) are disabled
  • Unauthorised external email platforms are blocked
  • Unapproved cloud storage services are restricted
  • Printing of sensitive documents is controlled and logged

These measures significantly reduce the risk of unauthorized data duplication, removal, or physical breach.

Data Access Governance

Access to client information is governed by strict internal controls, ensuring that only authorized personnel can access data relevant to their assigned engagement.

Our access governance framework includes:

  • Role-based permissions aligned to job function and project scope
  • Need-to-know principles with no blanket access to client data
  • Periodic access reviews to ensure permissions remain appropriate
  • Immediate access revocation upon role change, project completion, or employment termination

Access to highly sensitive financial data is monitored and audited on an ongoing basis.

Employee Security & Training

Our people are a critical part of our security posture. Outbooks ensures that all employees who handle client data are trained, vetted, and accountable.

  • Pre-employment background checks and confidentiality agreements for all staff
  • Mandatory information security awareness training for all employees
  • Ongoing training on phishing, social engineering, and data handling best practices
  • Clear internal policies on acceptable use of systems and data

Security responsibilities are reinforced at every level of the organisation, from frontline staff to senior management.

Third-Party & Vendor Risk Management

Where Outbooks engages third-party vendors or software providers who may have access to or process client data, we apply rigorous due diligence:

  • Security assessments conducted before onboarding any vendor
  • Contractual data protection and confidentiality obligations
  • Ongoing monitoring of vendor compliance with our security standards
  • Restricted vendor access limited to only what is necessary for the engagement

Clients are never onboarded onto platforms or services that have not undergone appropriate security review.

Secure Communication Protocols

All transmission of financial records, tax documentation, and accounting files follows strict security protocols:

  • Encrypted file-sharing platforms are used for all document exchange
  • Sensitive information is never transmitted via plain-text email
  • Large file transfers are handled through secure, access-controlled portals
  • Email communications are monitored to enforce compliance with secure transfer standards

Data Retention & Secure Disposal

Outbooks maintains a formal data retention policy that governs how long client data is held and how it is securely disposed of at the end of an engagement.

  • Client data is retained only for as long as is necessary to fulfil the engagement or meet legal/regulatory requirements
  • Upon engagement conclusion, data is securely deleted or returned to the client as agreed
  • Electronic data is disposed of using secure erasure methods that prevent recovery
  • Physical records (where applicable) are destroyed using certified secure destruction processes

Incident Response

Outbooks maintains a documented incident response plan that is tested and updated regularly. In the event of a suspected or confirmed security incident, our structured response process is activated immediately.

Our incident response protocol follows these stages:

  • Identification and validation of the security event
  • Immediate containment to prevent further exposure
  • Root cause analysis to understand the nature and scope of the incident
  • Remediation and full system restoration
  • Post-incident review and improvement of controls to prevent recurrence

Where required by law, affected clients and relevant regulators are notified promptly in accordance with applicable U.S. federal and state breach notification requirements.

Continuous Monitoring & Improvement

Cyber threats evolve constantly. Outbooks treats information security as an ongoing operational commitment, not a one-time exercise.

Our continuous improvement program includes:

  • Periodic vulnerability assessments and penetration testing
  • Internal audits of security controls and procedures
  • Regular risk reviews informed by emerging threat intelligence
  • Ongoing policy updates to address new regulatory developments and risks

Information security governance is supported by executive oversight, with clear accountability at senior leadership level.

Client Responsibilities

Effective data security is a shared responsibility. While Outbooks applies rigorous controls on its end, clients play an important role in maintaining the integrity of shared data environments. We ask that clients:

  • Maintain strong, unique passwords and enable MFA on their own systems
  • Promptly notify Outbooks of any suspected breach or compromise on their end
  • Use only the secure file-sharing platforms designated by Outbooks for document exchange
  • Refrain from transmitting sensitive financial data via unsecured email or consumer platforms

Our team is available to advise clients on best practices for secure data handling where needed.

Contact

For questions about our data security practices, please contact us at +1 386 251 5318 or email us at info@outbooks.com.