Company Security

Reach Reporting’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access their digital world of financial reporting.

Reach Reporting is a cloud-based application used by large and small companies, bookkeepers, and accountants to visualize and report on their financial data. We protect this data by applying security controls at every layer, from physical to application. We only retain read access. We do not write to, or modify, any of your financial data within QuickBooks Online, Xero, Google Sheets, or QuickBooks Desktop.

Data Centers

Reach provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

The Reach cloud leverages the native physical and network security features of the AWS cloud service and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

Our software and your financial data are stored using Amazon Web Services (AWS). Amazon continually undergoes security assessments and maintains many certifications to ensure the security of its data centers.

Amazon Web Services maintains compliance under the following standards:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Reach Reporting utilizes ISO 27001 and FISMA-certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

To learn more about the security of Amazon Web Services, see:

Credit Cards

We use the PCI-compliant payment processor Stripe to encrypt credit card numbers and process payments. Stripe is PCI Level 1 compliant, and has been audited by an external auditor to ensure compliance. This is the highest level of compliance available in the payment industry.

From their website: “All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).”

Security Assessments

Reach Reporting has successfully completed the AICPA Service Organization Control (SOC) 2 Type 1, and Type 2 audits. These audits have confirmed that Reach Reporting’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.

Reach Reporting deploys third-party penetration testing and vulnerability scanning on all production and internet-facing systems on a recurring basis by a registered third-party security firm.

Employee Policies

Reach Reporting takes the security of its data and that of its clients and customers seriously and ensures that only vetted, role-based personnel are given controlled access—adhering to the principle of least privilege. We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

We maintain policies within our company to ensure that your data stays secure. The few employees with access to sensitive data are vetted with rigorous background checks and use a multi-factor secured system that requires a hardware token to access.


Reach Reporting is committed to providing secure products and services to safely and easily manage sophisticated financial data across the globe. Our external certifications provide independent assurance of Reach Reporting’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Reach Reporting has in place.

An unqualified opinion on a SOC 2 Type 2 audit report demonstrates to Reach Reporting’s current and future customers that data is managed with the highest standard of security and compliance.

Customers and prospects can request access to the audit reports by contacting  [email protected]