Encryption in transit

All connections use TLS 1.2 or higher, covering the web app, mobile apps, APIs, QuickBooks integration, and bank connectivity through Plaid. Insecure HTTP is rejected at the network edge.
‍

Encryption at rest (AES-256)

Customer data is encrypted at rest using AES-256 across primary databases, document and receipt storage, and automated backups. Encryption keys are managed and rotated on a defined schedule.
‍

Hosting on Amazon Web Services

Production infrastructure runs on AWS in Canada and the United States. Single-tenant architecture ensures each customer's data is logically isolated from all others.
‍

Multi-availability zone redundancy

Redundancy is maintained across multiple availability zones to ensure service continuity in the event of a hardware or zone failure.
‍

Daily backups and recovery

Encrypted backups run daily and are restorable to a point in time. Backup archives persist for up to 30 days after deletion from primary systems. Recovery procedures are tested as part of regular operational readiness.
‍

Continuous monitoring and alerting

Continuous monitoring, logging, and alerting for security events is maintained across infrastructure and application layers.
‍

Periodic security reviews

Periodic security assessments and reviews of systems, codebase, and operational practices are conducted on a regular basis.

Authentication via Auth0

User identity is managed by Auth0. Passwords are never stored, logged, or visible to LayerNext at any point.
‍

OAuth 2.0 for third-party integrations

QuickBooks access is authorized via OAuth 2.0. LayerNext does not store QuickBooks usernames or passwords. You may revoke access at any time through QuickBooks settings.
‍

Multi-factor authentication

MFA is available to every customer regardless of plan. MFA is required for all LayerNext internal systems and personnel.
‍

Role-based access controls

Role-based access controls are enforced for all internal system access across all personnel and service accounts.
‍

Least-privilege access

Engineering access to production systems follows the principle of least privilege. Routine access to customer data is not granted.
‍

Tenant isolation

Single-tenant AWS architecture ensures each customer's data is logically isolated. Cross-tenant requests are rejected at the data layer and recorded as exceptions.
‍

Access log management

All production access for incident response or support is recorded and reviewed. Detailed logs of activities on company resources are maintained and reviewed to identify irregularities.

Data minimization

LayerNext collects only what is needed to provide the subscribed service: bookkeeping automation, bank reconciliation, and financial reporting. Data is not requested or retained beyond that scope.
‍

Retention policy

Account and profile data is retained up to 12 months after account termination. Financial and transaction data is deleted or anonymized within 90 days of termination. Backup archives may persist for up to 30 additional days.
‍

Data erasure

Upon account closure, customer data is removed according to a documented deletion process. Longer retention may apply where required by tax, accounting, or legal obligations.
‍

Data portability and export

Customer data can be exported at any time through the Service export features or by contacting support@layernext.ai. Following termination, data is available for export for 30 days before deletion.
‍

No sale of personal data

LayerNext does not sell personal information or financial data to third parties.
‍

Separate production environment

Production and development environments are maintained separately to ensure stability and prevent unauthorized access to live customer data.

No sale of personal data

LayerNext does not sell personal information or financial data to third parties under any circumstances.
‍

No advertising tracking

LayerNext does not use third-party advertising cookies and does not allow advertisers to serve targeted ads based on browsing behavior on our platform.
‍

Cookie policy

LayerNext uses only strictly necessary, analytics, and preference cookies. No third-party advertising cookies are used or permitted.
‍

Privacy rights and requests

Customers may request access to, correction of, deletion of, or export of their personal information. Requests are responded to within 30 days (45 days for California residents under CCPA/CPRA).
‍

CCPA / CPRA (California)

California residents have the right to know, correct, delete, and opt out of the sale or sharing of personal information. LayerNext does not discriminate against customers exercising their CCPA/CPRA rights.
‍

PIPEDA (Canada)

Canadian residents have the right to access, correct, and challenge the accuracy of personal information held by LayerNext under PIPEDA.
‍

Data breach notifications

Affected customers are notified directly and promptly in the event of a confirmed security incident affecting personal data, with known scope, data categories involved, and immediate guidance.

‍

Documented incident response plan

A documented incident response plan covers detection, containment, customer notification, and post-incident review for all potential security incidents.
‍

Continuous monitoring and alerting

Continuous monitoring, logging, and alerting for security events is maintained across all infrastructure and application layers.
‍

Customer notification

Affected customers are notified directly and promptly following a confirmed security incident. Notification includes the known scope, data categories involved, and immediate guidance.
‍

Post-incident review

After remediation, a written summary covering root cause, timeline, customer impact, and corrective actions taken is provided to affected customers.
‍

Vulnerability disclosure process

Security findings reported to security@layernext.ai are acknowledged within 2 business days with a status update within 10. LayerNext does not pursue legal action against good-faith reporters.
‍

Periodic security reviews

Periodic security assessments and reviews of systems, codebase, and operational practices are conducted to proactively identify and address risks.

No AI model training on customer data

LayerNext does not train AI models. Third-party AI services used by LayerNext are configured to not retain or train on customer data. Customer financial data is never used to train any AI model, ours or any third party's.
‍

Scoped AI processing

AI services operate on customer data only to process specific requests such as transaction categorization, reconciliation, and financial insights. Data transmitted to third-party AI services is not stored beyond the duration needed to generate a response.
‍

Third-party AI diligence

All third-party AI providers used by LayerNext are contractually configured to not retain or train on customer data. Customer outputs are returned only to the authorized customer.
‍

Anonymized usage for product improvement only

LayerNext may use anonymized, aggregated, and de-identified usage patterns to improve product features and reliability. This data cannot identify any customer or their business.

‍