The Rule of Three
Effective Date: 1 February 2026
Last Updated: 3 May 2026
TidyBooks handles your clients' financial data. They trust you with it, and you trust us. This page lays out the three hard rules we wrote into the software, so you can answer your clients' security questions before they ask.
For the legal-strength version of how we collect, hold, use, and disclose personal information, see our Privacy Policy and our Australian Privacy Principles compliance.
Rule 1: We only see what you connect.
TidyBooks is a connection-driven system. We don't go fishing for data. Every source you connect, you connect deliberately.
- Granular OAuth scopes. We request the minimum scopes needed for each integration. For Gmail we use
gmail.readonly(we cannot send, delete, or modify your emails). For Google Drive and OneDrive we start with read-only access scoped to folders you explicitly select. Outlook usesMail.Read. - Write access is requested only when you need it. Write permissions on cloud drives (such as
drive.filewrite orFiles.ReadWrite) are not requested when you set up a connected account. We ask for write access at the moment you opt into a feature that needs it, for example, when you choose to export documents from TidyBooks back to your Google Drive or OneDrive. If you never use those features, we never request the write scope. - User-controlled filters. You decide which senders, folders, dates, or document types are eligible. Filters are applied at the email or file metadata layer first, so anything outside your filter is skipped before its content is opened or stored.
- Historical extractions are opt-in and scoped by you. When you choose to extract receipts from a past period using the Historical Extractions wizard, we scan the date range and source you select. If you apply filters, we honour them. If you choose to scan a full inbox without filters, that scope is set explicitly by you and disclosed (with cost) in the wizard before any work begins.
- Disconnect, anytime. Disconnecting a source through your TidyBooks settings revokes our access tokens immediately. You can also revoke us directly from the third-party provider's settings (for example, Google Account permissions).
Things we don't do
- We never read outside your filters. When filters are configured, items that don't match are skipped before content is opened.
- No automatic indexing of folders you didn't select.
- No background "everything" sweeps. Continuous monitoring is filter-driven. Broader scans only happen when you explicitly start a Historical Extraction with a scope you've chosen.
- No retention of credentials. OAuth tokens are encrypted at rest using user-specific encryption keys, and revoked the moment you disconnect.
Rule 2: We only write entries we created.
When TidyBooks syncs to your client's accounting software (Xero or QuickBooks), it touches only the records it created itself.
- Source-tagged writes. Every bill, expense, or document TidyBooks pushes to your client's accounting software is tagged with our source ID. That tag is how we tell our records apart from yours.
- Update only what we created. If a categorisation changes inside TidyBooks and we own the corresponding record in Xero, we update it. If your team has edited the same record in Xero directly, our auto-sync respects your changes and parks the conflict in the review queue.
- Never edits records we didn't create. Anything posted directly by your team or your clients in their accounting software is invisible to TidyBooks' write paths. We don't touch it.
Things we don't do
- Never edits or deletes existing entries that we didn't create.
- Never reconciles bank transactions on your behalf.
- Never modifies your chart of accounts, vendors, or tax rates in your client's accounting software (we only sync them in for use within TidyBooks).
Rule 3: We can't move your clients' money.
The OAuth scopes we request, by design, do not include any financial action permissions.
- No payment scopes. We can't initiate payments, transfers, or invoice payments.
- No bank-feed authority. We don't connect to bank feeds and can't pull or modify bank transactions in your client's accounting software.
- No payroll access. We don't connect to or push payroll data.
- No subscription writes. We can't trigger billing actions inside your client's Xero or QuickBooks subscription.
If our system were ever compromised, the worst it could do is stop syncing. It cannot move money, change bank feeds, or run payroll on anyone's behalf.
Things we don't do
- Read-only on the things that matter. Bank balances, payroll, and payment authorisation are out of scope by design.
Encryption and Hosting
- AES-256 encryption at rest and in transit.
- Australian-hosted primary infrastructure on AWS, with documented cross-border disclosures to overseas service providers as listed in our APP compliance page.
- Australian Privacy Principles (APP) compliant as a voluntary commitment, including the Notifiable Data Breaches scheme.
- GDPR-aligned practices for EU data subjects.
- PCI DSS payment processing handled exclusively by our PCI Level 1 payment processor (LemonSqueezy). TidyBooks does not see, store, or transmit cardholder data.
Audit Logs
For every organisation, TidyBooks maintains a 90-day audit log capturing authentication events, connected-account changes, member changes, and bulk data actions. Owners and administrators can view this log at any time from organisation settings. See "Security Audit Logs" in our Privacy Policy for what is captured and how it is retained.
Reporting a Vulnerability
If you've found a security issue, please email us at security@tidybooks.tax. We aim to acknowledge reports within 24 hours and triage within 5 business days. Coordinated disclosure is appreciated.