Security
Secured like a bank. Controlled by you.
Incremenza connects to your most important business data. We take that responsibility seriously. This is what we do — and what we do not do — with your information.
Five layers of protection
Read-only by default
Most integrations (Stripe, Square, PayPal, Plaid, bank connections) are read-only. Incremenza cannot move money or modify your records on those platforms — only see them. QuickBooks has an opt-in write-back feature for transaction reconciliation, which you can disable.
Bank-level encryption
All data in transit uses TLS 1.2 or above. All data at rest is encrypted with AES-256. Database access is restricted, audit-logged, and limited to operational requirements.
OAuth 2.0 for all integrations
Incremenza never sees your passwords. Every integration uses OAuth 2.0 — you authenticate directly with the provider (Stripe, QuickBooks, your bank, etc.) and grant Incremenza specific permissions. You can revoke access at any time from your provider's settings.
You control your data
You can export everything (transactions, customers, OKRs, reports) as CSV at any time. You can disconnect integrations without losing historical data. You can delete your account, after which all personal and financial data is permanently deleted within 90 days.
We never sell your data
Your business data is yours. We do not sell it, share it with advertisers, or use it for any purpose other than running your Incremenza account. This commitment is in our terms of service.
AI Data Policy
What we do — and do not do — with your data when AI is involved
Several Incremenza features use large language models — the My Advisor chat, the weekly briefing narrative, and parts of the transaction classification pipeline. Your business data is sent to AI providers (primarily Google Gemini, with Anthropic Claude as a fallback) to produce these outputs.
We use paid-tier API access on both providers. Both providers contractually agree not to use your data to train their models. Your data is processed for the specific request and not retained by the providers beyond the API call.
We do not send personally identifiable information about your customers or team members to AI providers. Customer names appear in the My Advisor responses you see, but the prompts sent to AI providers use anonymized identifiers where possible.
You can disable AI-driven features per company in settings. Most automation (transaction classification fallback rules, recurring invoicing, dunning, anomaly detection) runs without AI.
For complete technical detail, read the legal security documentation →
Compliance
Compliance and certifications
We are direct about what we have today and what we are working toward.
GDPR
Compliant. Data subject rights honored, including export and deletion. Data Processing Agreement available on request.
CCPA
Compliant. California consumer rights honored.
PCI DSS
Card data handled exclusively by Stripe (PCI Level 1 service provider). Incremenza does not store card numbers.
SOC 2 Type II
Planned. Audit preparation in progress. Status updated here as the audit completes.
ISO 27001
Planned for future. Not currently in scope.
HIPAA
Not currently certified. Incremenza is not a HIPAA-covered entity. Healthcare businesses with PHI requirements should consult with us before connecting protected data.
Data Retention
What happens to your data when you leave
While your account is active, your data is retained continuously.
When you cancel, your data remains accessible for 90 days. You can reactivate within that window with all your data intact.
After 90 days, your personal and financial data is permanently deleted from our active systems. Backup data may persist up to 90 additional days before being purged from backup storage.
Some information may be retained longer if required by law (such as tax records, kept for 7 years).
Aggregated, anonymized usage data may be retained indefinitely for product improvement, but cannot be linked back to your specific account.
Common Questions
Security questions, answered
Incremenza is hosted on DigitalOcean (San Francisco data center) via Laravel Forge. The database is MySQL with encryption at rest. All connections use TLS 1.2 or above. We do not store your data outside the United States.
A small number of operations and engineering staff have privileged access for support and infrastructure work. All access is audit-logged. Staff access is role-based — most employees cannot see customer data at all. We follow least-privilege principles: access is granted only when necessary for a specific task.
We have a documented incident response procedure that includes detection, containment, investigation, communication, and post-incident review. Affected customers are notified within 72 hours of confirmed incidents involving their data, in line with GDPR requirements.
The legal security page contains the complete technical specifications — encryption algorithms, infrastructure details, monitoring procedures, and our full compliance posture. For specific questions not covered there, contact the security team.
🔒 Bank-level encryption · Read-only access · OAuth — we never see your passwords · We never sell your data
Security
Questions about how we protect your data?
Take the free assessment to see what Incremenza will surface, or contact our security team for detailed answers about your specific compliance requirements.