Security you can verify, not just trust

Your ledger is some of the most sensitive data you have. Here is exactly how we protect it — every claim on this page describes something real in the product today.

Role-based access

Owner, admin, and member roles per organization. Team members see and do only what their role allows — permission changes are logged.

Organization-scoped authorization

Every API request is checked against your organization. Your entities, transactions, and documents are never queryable from another customer's account.

Encrypted secrets storage

Connected-account credentials — like QuickBooks, Xero, and Google Drive OAuth tokens — are encrypted at rest with field-level encryption and support key rotation.

Audit trail on AI actions

Every AI categorization is recorded: what was coded, when, and with what confidence. Authentication and security events are logged immutably alongside it.

Stripe-hosted payments

Subscriptions run entirely through Stripe's hosted checkout and billing portal. Your card details go to Stripe — they never touch our servers or our database.

Daily AI spend caps

AI usage is metered per organization per day with hard caps, so a runaway job — or a compromised account — can't burn through unbounded processing.

Approval-gated AI

The AI can't silently rewrite your books. Uncertain categorizations wait in a review queue, adjusting entries land as drafts, and closed periods lock.

Encrypted in transit

All traffic between your browser and xBav — and between xBav and connected services — runs over TLS. Your data is yours: export it at any time.

Straight talk

Where we are on certifications

We don’t yet hold formal certifications like SOC 2 or ISO 27001, and we won’t put a badge on this page until an independent auditor has signed off on one. Plenty of startups do; we think that erodes the trust the badge is supposed to signal.

What we do instead is build the underlying controls first — immutable audit logging, role-based and organization-scoped access, encrypted credential storage, and approval gates on every AI action — so that a future audit certifies practices we already live by. If your firm has specific security requirements, ask us directly and we’ll give you specific answers.

Found a vulnerability?

We value the security community and respond to every good-faith report. If you believe you’ve found a vulnerability in xBav, please tell us.

security@xbav.ai →