Hubricon is in early access. Founding members get lifetime pricing
Hubricon
Get Started

Security at Hubricon

Your financial data is sensitive. We treat it that way. Here is exactly how we protect it.

Read-Only Access

Hubricon connects to your QuickBooks Online account using Intuit’s official OAuth 2.0 protocol. We request only the com.intuit.quickbooks.accounting scope, which grants read-only access to accounting reports.

We cannot create, modify, or delete any records in your QuickBooks account. We never access your Intuit username or password. You can revoke access at any time from your Hubricon settings or directly from your Intuit account at apps.intuit.com.

Encryption

In Transit

All data transmitted between your browser and our servers, and between our servers and third-party APIs (QuickBooks, Stripe, Anthropic), is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints with no exceptions.

At Rest

All database records are encrypted at rest using AES-256 encryption provided by our infrastructure provider (Supabase / AWS). OAuth access tokens and refresh tokens receive an additional layer of AES-256-CBC encryption with a dedicated application-level encryption key before being written to the database. Tokens are decrypted only at the moment they are needed for an API call and are never cached in plaintext.

No Plaintext Secrets

OAuth tokens are never logged, returned in API responses, stored in browser cookies or local storage, or exposed in client-side code. Environment secrets are managed through Vercel’s encrypted environment variable system and are not committed to source control.

Data Isolation

Every database query is scoped by organization. We enforce Row-Level Security (RLS) policies at the PostgreSQL database level, meaning data isolation is enforced by the database engine itself — not just application code. Even if an application bug occurred, one organization’s data could never be returned in another organization’s query.

Each user belongs to exactly one organization. There is no shared data between organizations. Administrative access to production data is strictly limited and requires multi-factor authentication.

Infrastructure

  • Application hosting: Vercel’s edge network with automatic SSL certificates, DDoS protection, and global CDN distribution
  • Database: Supabase (PostgreSQL) with SOC 2 Type II compliant infrastructure, automated daily backups, and point-in-time recovery
  • Authentication: Supabase Auth with secure httpOnly session cookies, PKCE flow for OAuth, and brute-force rate limiting
  • Payment processing: Stripe (PCI DSS Level 1 certified). We never receive or store credit card numbers
  • AI analysis: Anthropic’s commercial API with zero-retention data policy. Financial data sent for AI analysis is processed in real-time and not stored by the AI provider

Authentication and Access Control

  • OAuth 2.0 for all third-party integrations (QuickBooks, Google, GitHub) — we never see or store third-party passwords
  • CSRF protection on all OAuth flows via cryptographic state parameters
  • Webhook signature verification for all incoming webhooks (Stripe)
  • Secure, httpOnly, sameSite session cookies that are not accessible via JavaScript
  • Bearer token authentication with automatic secret rotation for cron and server-to-server endpoints

Token Lifecycle Management

QuickBooks OAuth access tokens expire after 1 hour. We proactively refresh tokens before expiration to maintain uninterrupted service. Refresh tokens are valid for 100 days. If a refresh fails, we retry once, then mark the connection as disconnected and notify you to reconnect.

All token operations (exchange, refresh, revocation) use encrypted HTTPS connections to Intuit’s token endpoint. Old tokens are overwritten in the database immediately upon successful refresh — we never store multiple token versions.

Data Deletion

Disconnection

When you disconnect your QuickBooks account, we immediately revoke the OAuth tokens and delete all synced financial data (P&L, balance sheet, cash flow, and transaction records) from our active database.

Account Deletion

When you delete your account, we delete all data associated with your organization including financial records, AI insights, connection records, and membership data. All active data is removed within 30 days. Encrypted backups are purged within 90 days.

No Data Sale

We do not sell, rent, license, or share your financial data with third parties for marketing, advertising, analytics, or any purpose beyond providing the Service to you.

Questions about security?

If you have questions about our security practices or want to report a vulnerability, contact us at contact@hubricon.com.