What we do to keep your books safe.
Ziroo holds two things of value on your behalf: the OAuth credentials that let us read your Xero data and write to your chosen cloud storage, and the accounting metadata we fetch on your schedule. This page is a plain, factual account of how each of those is handled — and, just as importantly, the industry terms we deliberately do not claim to meet.
Encrypted in transit
All traffic between your browser, Ziroo, Xero, your cloud provider, and our email infrastructure uses TLS 1.2 or higher. AES-256 is the typical cipher negotiated by modern clients. Plain HTTP is redirected; HSTS is enabled for our domain.
Secrets are encrypted in the database
OAuth access and refresh tokens — for Xero, Dropbox, Google Drive, and Microsoft OneDrive — are encrypted at rest using Laravel’s AES-256-CBC cipher with a per-environment master key. The same applies to two-factor authentication secrets and recovery codes. Passwords are hashed with bcrypt (work factor 12).
We only read
We request the accounting.transactions, offline_access, and basic profile scopes from Xero. We only perform read operations against the Invoices, Quotes and Purchase Orders endpoints — we never create, update, or delete records in your Xero organisation.
Your PDFs go to your cloud
PDFs downloaded from Xero are streamed directly to the cloud provider you chose (Dropbox, Google Drive, or OneDrive). Temporary files used during delivery are removed by a cleanup job; the archive copies live in your account, not ours.
Two-factor and session hygiene
Time-based (TOTP) two-factor authentication is available on every account and strongly recommended for bookkeepers and multi-organisation users. Session cookies are HttpOnly, SameSite=Lax, with a 120-minute idle lifetime; the CSRF token is required on every state-changing request.
Hosted on AWS (United States)
The application runs on Amazon Web Services infrastructure in a United States region. Outbound mail is delivered via Amazon SES. We rely on AWS’s physical-security and network-isolation controls for the underlying hosts; patching of the managed runtime and database is handled by AWS.
Audit log for every run
We record who did what inside a team (connections added, backups triggered, storage changed) and the outcome of every scheduled backup run — when it started, what it fetched, which organisation, and whether delivery succeeded. This gives both you and us a clear trail if anything looks wrong.
Framework updates tracked
Ziroo is built on Laravel 11 and maintained PHP dependencies. We monitor security advisories from GitHub’s Dependabot and upstream packagist sources, and apply security patches within a short window.
We never see your card
Billing is handled by Stripe. Card numbers and full payment details are entered into Stripe’s PCI‑DSS Level 1 certified environment and never transit our servers. We only store a Stripe customer reference and the last four digits of the card for display.
Straight about
our limits.
We think the fastest way to lose trust is to imply compliance or controls we can’t substantiate. So, explicitly:
- We are not SOC 2 certified. We have not undergone a SOC 2 Type I or Type II audit, and we don’t describe ourselves as “SOC 2 aligned” — that phrase is fuzzy by design, and we’d rather describe what we actually do.
- We are not ISO 27001 certified.
- We do not claim full-database or full-disk encryption at rest. The specific fields that hold secrets — OAuth tokens, 2FA material — are encrypted. Other columns rely on the managed database provider’s standard storage.
- We have not commissioned an independent penetration test at our current stage. We intend to as the business grows.
- We do not offer EU‑region data residency. Data is stored in the United States via AWS. If residency is a requirement for your organisation, Ziroo is not a fit today.
If any of the above changes, we’ll update this page before we update marketing copy elsewhere.
Found something?
Tell us.
If you believe you’ve found a security vulnerability in Ziroo, please report it to [email protected] with “Security” in the subject line. Please include:
- A description of the issue and the URL or endpoint affected
- Steps to reproduce, and any proof-of-concept output
- Your assessment of the impact
We will acknowledge receipt within five business days, keep you updated while we investigate, and credit you (if you’d like) when the issue is resolved. Please do not perform testing that could affect other customers’ data or availability, and please give us a reasonable window to fix the issue before public disclosure.
We do not currently operate a paid bug-bounty programme.
§ Related