Security & Compliance

QuickFind AI connects to QuickBooks exclusively through Intuit's official OAuth 2.0 authorization framework. This means we never see, handle, receive, or store your QuickBooks username or password at any point during the connection process. Authentication is handled entirely by Intuit's secure authorization servers — users are redirected to Intuit's domain to sign in, and we receive only a time-limited authorization code that is exchanged for access tokens.

The OAuth 2.0 protocol is the industry standard for delegated authorization. It is the same mechanism used by major platforms including Google, Microsoft, and Salesforce. By relying on Intuit's identity infrastructure, we ensure that your credentials remain under Intuit's control and protection at all times.

QuickFind AI does not store any user credentials — not passwords, not security questions, not multi-factor tokens. The only authentication artifacts we maintain are OAuth access tokens and refresh tokens, which are issued by Intuit and grant limited, scoped access to QuickBooks data. These tokens are encrypted at the application layer before being written to our database, using a server-side encryption key that is never exposed in application code, logs, or client-side environments.

If a token is compromised, it can be revoked immediately by the user or by our system, rendering it useless. Tokens have a limited lifespan and must be refreshed periodically, providing an additional layer of protection.

We implement multiple layers of encryption to protect data at every stage:

• In transit: All communications between your browser, our servers, and the Intuit API use TLS 1.2 or higher. This ensures that data cannot be intercepted or tampered with during transmission.
• At rest (application layer): OAuth tokens are encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) before being stored in the database. This authenticated encryption mode provides both confidentiality and integrity verification.
• At rest (infrastructure): Our database infrastructure provider enables encryption at rest by default, providing an additional layer of protection for all stored data.
• Key management: Encryption keys are stored as environment-level secrets, separate from application code and database storage. Keys are never committed to version control or exposed in logs.

We request only the minimum OAuth scopes necessary to perform data analysis. Our application requests a single scope:

This scope provides read access to accounting data necessary for analysis. We do not request write access to your QuickBooks data. Our integration is strictly read-only for analysis purposes. We do not request access to payroll, payments, or banking scopes. This minimizes the potential impact in any security scenario and ensures that QuickFind AI cannot modify your financial records.

Our data retention practices are designed to minimize risk and give you full control:

• Analysis data (reports, insights, generated documentation) is retained for a default period of 30 days from generation, after which it is automatically and permanently deleted.
• OAuth tokens are retained only while your account is connected. Upon disconnection, tokens are immediately revoked with Intuit and permanently deleted from our database.
• You may request earlier deletion of any or all of your data at any time by emailing admin@quickfindai.com.
• Enterprise customers may configure custom retention periods to meet their specific compliance requirements.
• We do not retain backup copies of deleted data beyond standard database backup retention windows (typically 7 days), after which all copies are purged.

You are always in control of your data and your connection to QuickFind AI:

• You can disconnect and revoke access at any time from the Integrations page.
• Disconnection immediately revokes the OAuth token with Intuit's servers, meaning QuickFind AI can no longer access your data — even if our systems attempted to (they won't).
• After disconnection, all stored tokens are permanently deleted from our database.
• No further data access, analysis, or processing is possible after disconnection.
• You may also revoke access directly from your Intuit account settings, independent of our application.

When connected, QuickFind AI accesses the following QuickBooks data categories for analysis purposes only:

• Chart of Accounts (account names, types, hierarchy, numbering)
• Customer records (names, contact information, categorization)
• Vendor records (names, contact information, categorization)
• Products and Services (items, descriptions, pricing structure)
• Classes and Locations (organizational dimensions)
• Tax Codes (tax configuration and rate metadata)
• Transaction metadata (transaction types, dates, amounts, reference numbers — not payment credentials)

We explicitly do NOT access:

• Bank account credentials or routing numbers
• Credit card or payment processing information
• Payroll data, Social Security numbers, or employee tax information
• Bank feeds or direct bank connections
• User login credentials for QuickBooks

QuickFind AI does not sell, rent, trade, share, or otherwise monetize your QuickBooks data. Your financial data is used solely to provide analysis, insights, and reports for your direct benefit. We do not use your data for advertising, marketing profiling, training machine learning models on identifiable business data, or any purpose unrelated to the Service.

The only third parties that may process your data are essential infrastructure providers (cloud hosting, database services) operating under strict data processing agreements with appropriate security controls and contractual obligations.

• Authentication: Access is limited to authorized, authenticated users only.
• Session management: Sessions use secure, httpOnly cookies that cannot be accessed by client-side JavaScript, reducing XSS risk.
• CSRF protection: All state-changing operations (disconnect, data deletion) are protected against cross-site request forgery attacks.
• Rate limiting: Authentication and API endpoints are rate-limited to prevent brute-force and abuse attempts.
• SameSite cookies: Session cookies use the SameSite attribute to prevent cross-origin request attacks.

Application logs are scrubbed to ensure they never contain OAuth tokens, financial data, personally identifiable information, or encryption keys. We implement automated log scrubbing using pattern-based redaction to prevent accidental exposure of sensitive data.

In the event of a security incident, we will notify affected users within 72 hours, provide a clear description of the incident and its potential impact, and take immediate remediation steps including token revocation and credential rotation where applicable.

QuickFind AI is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification. Our hosting provider maintains physical security, network isolation, and automated patching. All production environments are isolated from development and staging environments.