Security & Privacy
Security & Privacy
Section titled “Security & Privacy”Authentication
Section titled “Authentication”Passwordless login
Section titled “Passwordless login”CryptaCount uses a passwordless authentication model:
Primary method — Provider sign-in with 5 providers:
- Google, Microsoft, Xero, Intuit (QuickBooks), Zoho
Secondary method — Email one-time passcode:
- Request a 6-digit code sent to your email
- Enter the code to authenticate
- Works for both login and registration
There are no passwords to remember, reset, or have stolen.
Optional two-factor authentication
Section titled “Optional two-factor authentication”Two-factor authentication is available as an optional add-on for users who want extra security:
- Enable at Settings → Security
- Compatible with any authenticator app (Google Authenticator, Authy, 1Password, etc.)
- Backup codes provided during setup for account recovery
- Can be enabled, disabled, or reset from the security settings
Session management
Section titled “Session management”- Your session stays active so you don’t need to sign in repeatedly. Checking “Remember me” extends the session duration.
- View all active sessions at Settings → Security
- Revoke individual sessions, revoke all other sessions, or revoke everything
Bot protection
Section titled “Bot protection”- Login and registration are protected by invisible bot detection to prevent automated attacks
- Verification runs silently in the background — no puzzle-solving required
- If you’re unexpectedly blocked, try clearing browser cookies, disabling interfering extensions, or using a different browser
Rate limiting
Section titled “Rate limiting”Authentication and data requests are rate-limited per IP and per email to prevent brute-force attacks and abuse. Authentication-related actions have stricter limits than data actions.
Data integrity — journal hash chain
Section titled “Data integrity — journal hash chain”Each journal entry is cryptographically hashed in a chain. The hash includes the entry’s content and the previous entry’s hash, forming a sequential chain. If any entry is modified, all subsequent hashes become invalid, making tampering immediately detectable.
This provides audit evidence that the accounting ledger has not been retroactively altered — a fundamental requirement for financial audits. The hash chain can be verified through the Ledger Integrity reconciliation check.
CEX API key encryption
Section titled “CEX API key encryption”Centralized exchange API keys are stored encrypted at rest:
- Keys are encrypted before storage
- CryptaCount never needs write access to exchange accounts — only read permissions
- You can verify key status from your CEX connection settings
Audit trail
Section titled “Audit trail”CryptaCount maintains a comprehensive audit trail:
- All user actions are logged with timestamps, user identity, and workspace context
- View your personal activity at Settings → Activity Log
- Security-specific events (failed logins, permission changes) are tracked separately
Access control
Section titled “Access control”CryptaCount enforces a role-based access control system:
| Level | Roles | Scope |
|---|---|---|
| Company | Owner, Manager, Member, Viewer | Company-level access |
| Workspace | Owner, Manager, Member, Viewer | Workspace-level access |
| Permissions | 42 granular permissions | Per-resource actions (view, create, edit, delete, sync, post, etc.) |
Role checks are enforced on every action, not just in the interface.
Does CryptaCount access my wallets or exchange accounts?
Section titled “Does CryptaCount access my wallets or exchange accounts?”Blockchain wallets: CryptaCount reads publicly available on-chain data for wallet addresses you provide. It never has access to private keys, seed phrases, or the ability to send transactions.
Exchange connections: API keys require only read permissions. CryptaCount never needs write access. Keys are stored encrypted (see above).
Is CryptaCount GDPR compliant?
Section titled “Is CryptaCount GDPR compliant?”Yes. The platform implements:
- Two-layer cookie consent with Google Consent Mode v2
- Data processing basis: Contractual necessity for accounting; consent for analytics
- Data subject rights: Access, rectification, erasure, and portability via account settings
- Privacy Policy and Terms of Service: Geo-split for EU and Rest of World
Can I delete my data?
Section titled “Can I delete my data?”Yes:
- Delete a workspace — removes all data within it (transactions, journals, reports, configuration). Requires Owner role. Irreversible.
- Remove a wallet — removes the wallet and all associated transaction data. Irreversible.
- Delete your account — removes your user account and all associated data.
- GDPR erasure — formal data erasure request via account settings or support.
What happens to my data if I cancel?
Section titled “What happens to my data if I cancel?”After cancellation, your workspace enters read-only mode for 90 days. You can still view and export everything. After 90 days, data is scheduled for deletion. Reactivate during the retention period to restore full access.