We take security seriously and are loud and proud about practices. It is important to us that our customers, accountants and their clients, know they can trust that the Common Ledger system is safe and secure.
Rest assured, we build all aspects with security front of mind.
Some simple steps you can take to stay protected
We work hard to keep Common Ledger secure. Here are some simple steps you can take to stay protected:
create a password that doesn’t include dictionary words, or anything related to your birthday or personal information (guide to better password practices)
we require your password to incorporate an uppercase, lowercase and number.
don’t share your password or write it down
make sure you only login at login.commonledger.com/sign-in
keep your browser software up to date.
What security milestones does Common Ledger currently hold?
We have worked hard for the following security achievements:
‘low to no risk’ global security assessment response with the New Zealand offices of a Big Four global accounting firm assessment.
Where does Common Ledger run?
Common Ledger runs as a web application using third-party cloud platforms. Our systems are built using Amazon Web Services hosted on servers in Australia.
All of the data exchanged in Common Ledger is sent over secure (TLS) connections. Our public web application runs only on HTTPS with HTTP redirected to HTTPS, and our internal network links (between service tiers, databases, and caches) are each encrypted.
Common Ledger connects to other web and desktop applications to manage data to and from those these while also maintaining authenticated logins initiated by Common Ledger users to access this data. Those connections are also always performed over HTTPS, and the remote server certificates are always verified.
What sensitive data does Common Ledger store?
In order to provide automatic login, Common Ledger must store some of your sensitive information on our servers. For user management, we store your password after it has been salted, then hashed, or an OAuth credential. We will always use an OAuth credential or API key if possible. We only store passwords if absolutely necessary for a service integration.
How is my data stored?
All of your sensitive data is stored in a Common Ledger initiated encrypted format using our own generated keys and not those of our infrastructure provider. We use open-source cryptographic libraries and standard algorithms (AES-256 for symmetric operations and RSA 2048 bit for asymmetric operations). We never write our own cryptographic code or modify existing libraries.
The data we store is also regularly backed up via our infrastructure providers. The backups are kept in the same format as the original data and requires access to our master keys to decrypt.
Can I get my data out of Common Ledger?
Common Ledger journal and account data can be pulled out of the system through the available tools. Use the connectivity page to download client data as a comma-separated values (CSV) file, a common text format supported by many tools or another accounting product file format you require.
Common Ledger account mapping data is available via a download link on the mapping page as a comma-separated values (CSV) file.
At any time you can contact to request that your account be deleted. Once we have confirmed your identity, we will immediately remove all of your data from our system. Encrypted backups of your financial data are retained for 10 years as is required by taxation legislation. These backups are used only for disaster recovery purposes, if required by legislation or by you.
Is my data available to Common Ledger employees?
Common Ledger works off of a privileged user policy which ensures, by default, our developers and employees staff are not permitted to access user accounts or client data without an invitation from the client. We operate from a “least privilege” model.
A limited set of Common Ledger employees have access to the master encryption keys. Third-parties or contractors will never gain access to Common Ledger’s secure hosts or master keys, or your data. All internal access to all of Common Ledger’s systems is logged and audited.
What data does Common Ledger log?
Like other web applications, Common Ledger creates and collects application logs that track what our servers are doing on each request. These logs are used to find and fix bugs in Common Ledger and to help us monitor the performance and uptime of the application. Depending on the type of error and to maintain the ability to diagnose a problem, the logs may contain sensitive information. We store this data in an encrypted format and logs are retained for two weeks before they are automatically deleted.
In addition to these application logs, Common Ledger also creates structured logs that keep track of the user and the accounting software they connect to. We also track new user creation and user disable / delete operations. We collect this data in order to provide our customers with an audit trail. We use this log data in aggregate form to better understand our customers and make decisions about the future development of Common Ledger.
How does Common Ledger protect my data?
Common Ledger uses modern web frameworks and follows those frameworks’ best practices for securing access. We monitor for bugs and security patches in all the systems we use and apply updates religiously.
What should I do if I find a security problem with Common Ledger?
We want to hear from you! We are grateful for security researchers who practice responsible disclosure. Please visit our HackerOne page for guidelines on submitting information, and either submit through there or contact us at with the details of the problem you’ve found. We will get back to you as a first priority. We promise not to seek legal action against those who fully disclose security issues to Common Ledger and do not maliciously exploit those vulnerabilities.