For the current SOC 2 Type II report, subprocessor list, security policies, and answers to common due-diligence questions, visit the DualEntry Trust Center.
Attestations and certifications
DualEntry maintains independent attestations and testing that you can verify through the Trust Center.- SOC 2 Type II. DualEntry undergoes an annual SOC 2 Type II examination covering the Security, Availability, and Confidentiality trust service criteria. The most recent report is available on the Trust Center under an NDA.
- Annual penetration testing. Independent third-party penetration tests are performed at least annually. Summary letters are published in the Trust Center.
- Ongoing monitoring. Controls are continuously monitored, and evidence is refreshed in the Trust Center as it is collected.
How DualEntry protects your data
DualEntry protects customer data with layered technical and operational controls across the platform.- Encryption in transit. All traffic to and from DualEntry runs over TLS 1.2 or higher.
- Encryption at rest. Customer data, backups, and sensitive fields (such as aggregator access tokens) are encrypted at rest.
- Tenant isolation. Every request is scoped to the authenticated organization; cross-tenant access is rejected at the API layer.
- Least-privilege access. Employee access to production systems is role-based, logged, and reviewed on a recurring cadence.
- Change management. All production changes flow through peer-reviewed pull requests, automated testing, and staged rollouts.
- Incident response. DualEntry maintains a documented incident response plan with defined severity levels, on-call rotations, and customer notification commitments.
Product controls that support your own compliance
DualEntry gives you the controls auditors expect to see under SOC 2 and SOX:- Audit trail - immutable, append-only record of every data change, retained for seven years by default.
- Approval workflows - enforce segregation of duties across bills, journal entries, and other transactions.
- User roles and permissions - granular, entity-scoped access control.
- Period locking - prevent changes to closed accounting periods.
- Banking connections - credentials collected in the aggregator’s hosted UI, never in DualEntry, with encrypted token storage and per-organization scoping.
Requesting reports and completing security reviews
The Trust Center is the fastest path to almost everything a security or vendor-management team asks for:- Visit trust.dualentry.com.
- Request access to gated documents (SOC 2 report, penetration test summary, policies). Access is granted after clickthrough NDA.
- Download the artifact you need, or share the link with your security reviewer.
