> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dualentry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and Compliance

> Overview of DualEntry's security program, SOC 2 Type II attestation, and how to access reports, subprocessors, and policies through the DualEntry Trust Center.

DualEntry is built and operated to meet the security expectations of finance and accounting teams. This page summarizes the program at a high level and points you to the DualEntry Trust Center for the underlying evidence.

<Info>
  For the current SOC 2 Type II report, subprocessor list, security policies, and answers to common due-diligence questions, visit the [DualEntry Trust Center](https://trust.dualentry.com).
</Info>

## Attestations and certifications

DualEntry maintains independent attestations and testing that you can verify through the Trust Center.

* **SOC 2 Type II.** DualEntry undergoes an annual SOC 2 Type II examination covering the Security, Availability, and Confidentiality trust service criteria. The most recent report is available on the [Trust Center](https://trust.dualentry.com) under an NDA.
* **Annual penetration testing.** Independent third-party penetration tests are performed at least annually. Summary letters are published in the Trust Center.
* **Ongoing monitoring.** Controls are continuously monitored, and evidence is refreshed in the Trust Center as it is collected.

## How DualEntry protects your data

DualEntry protects customer data with layered technical and operational controls across the platform.

* **Encryption in transit.** All traffic to and from DualEntry runs over TLS 1.2 or higher.
* **Encryption at rest.** Customer data, backups, and sensitive fields (such as aggregator access tokens) are encrypted at rest.
* **Tenant isolation.** Every request is scoped to the authenticated organization; cross-tenant access is rejected at the API layer.
* **Least-privilege access.** Employee access to production systems is role-based, logged, and reviewed on a recurring cadence.
* **Change management.** All production changes flow through peer-reviewed pull requests, automated testing, and staged rollouts.
* **Incident response.** DualEntry maintains a documented incident response plan with defined severity levels, on-call rotations, and customer notification commitments.

## Product controls that support your own compliance

DualEntry gives you the controls auditors expect to see under SOC 2 and SOX:

* [Audit trail](./audit-trail-and-compliance) - immutable, append-only record of every data change, retained for seven years by default.
* [Approval workflows](./approval-workflows) - enforce segregation of duties across bills, journal entries, and other transactions.
* [User roles and permissions](./user-roles-and-permissions) - granular, entity-scoped access control.
* [Period locking](../core-financials/general-ledger/period-locking) - prevent changes to closed accounting periods.
* [Banking connections](../integrations/banking-connections) - credentials collected in the aggregator's hosted UI, never in DualEntry, with encrypted token storage and per-organization scoping.

## Requesting reports and completing security reviews

The Trust Center is the fastest path to almost everything a security or vendor-management team asks for:

1. Visit [trust.dualentry.com](https://trust.dualentry.com).
2. Request access to gated documents (SOC 2 report, penetration test summary, policies). Access is granted after clickthrough NDA.
3. Download the artifact you need, or share the link with your security reviewer.

If your reviewer has a question that isn't covered by the Trust Center or this documentation, contact your DualEntry account team.
