Security and Data Integrity
Security and Data Integrity
Section titled “Security and Data Integrity”For a platform handling financial data, security is not a feature — it is a prerequisite. CryptaCount implements security across three domains: data integrity (ensuring accounting records are trustworthy), access control (ensuring only authorized users see and modify data), and operational security (ensuring the platform itself is resilient and compliant).
Data Integrity
Section titled “Data Integrity”Tamper-Evident Ledger
Section titled “Tamper-Evident Ledger”Every journal entry created by the accounting engine is cryptographically hashed. Each hash incorporates the entry’s content and the hash of the preceding entry, forming a chain. This provides tamper evidence: if any historical journal entry is modified, the chain breaks from that point forward, making unauthorized changes immediately detectable.
This mechanism does not prevent modification — it makes modification visible. This is the appropriate guarantee for accounting records, where corrections are sometimes necessary but must always be transparent and traceable.
Double-Entry Enforcement
Section titled “Double-Entry Enforcement”The platform enforces double-entry accounting as an invariant. Every journal entry must balance — total debits must equal total credits. Entries that fail this validation are rejected before they are persisted. This eliminates the category of errors where one-sided adjustments create unexplained balance discrepancies.
On-Chain Reconciliation
Section titled “On-Chain Reconciliation”Computed balances (derived from processing all ingested transactions) are reconciled against actual on-chain balances. For each wallet and asset, the platform compares what the transaction history says the balance should be against what the blockchain reports it actually is.
Discrepancies indicate missing transactions, synchronization gaps, or classification errors. This independent reconciliation has been validated against block explorers for multiple chains with exact matching, establishing that the data pipeline produces complete and accurate records.
Access Control
Section titled “Access Control”Role-Based Permissions
Section titled “Role-Based Permissions”The platform’s four-tier role system (Platform Role, Account Type, Workspace Role, Company Role) ensures that every action is authorized across all applicable permission dimensions before it is executed.
This prevents both horizontal privilege escalation (accessing another user’s data) and vertical privilege escalation (performing administrative actions without appropriate authorization). Permission checks are enforced consistently across all platform interactions, regardless of access method.
Administrative Segregation
Section titled “Administrative Segregation”Administrative functions (user management, system monitoring, data management) are fully segregated from standard accounting operations. Users without administrative privileges cannot access administrative functions through any means. This separation reduces the surface area for accidental or unauthorized administrative actions.
Authentication and Session Security
Section titled “Authentication and Session Security”Bot and Abuse Prevention
Section titled “Bot and Abuse Prevention”All authentication flows are protected by invisible risk-scoring that evaluates each request’s likelihood of being automated. Requests that score below the confidence threshold are blocked, protecting against credential stuffing, brute force attacks, and automated account creation.
Session Management
Section titled “Session Management”User sessions employ industry-standard protections:
- Encrypted, tamper-resistant session tokens — Session credentials cannot be intercepted or modified in transit
- CSRF protection — Cross-site request forgery attacks are mitigated
- Automatic session expiry — Inactive sessions are terminated after a defined period
- Concurrent session controls — Limits on simultaneous active sessions per account
Privacy and GDPR Compliance
Section titled “Privacy and GDPR Compliance”Cookie Consent
Section titled “Cookie Consent”The platform implements a two-layer GDPR-compliant cookie consent mechanism. The first layer presents a clear consent banner; the second layer provides granular control over cookie categories. No tracking technologies are activated before explicit consent is granted.
Data Handling Principles
Section titled “Data Handling Principles”- Lawful basis — Core accounting functions operate under contractual necessity (GDPR Article 6(1)(b)). Analytics operate only under explicit consent (Article 6(1)(a)).
- Data subject rights — Users can exercise access, rectification, erasure, and portability rights through their account settings and through a dedicated opt-out page for non-authenticated requests.
- Blockchain data — Publicly available blockchain data is processed under the legitimate interest of providing the accounting service.
Operational Security
Section titled “Operational Security”Data Encryption
Section titled “Data Encryption”All data is encrypted in transit and at rest. Customer data at rest is protected using industry-standard encryption. Network communications between all platform components use TLS encryption.
Data Residency
Section titled “Data Residency”All customer data is hosted within EU data centers, ensuring compliance with GDPR data transfer requirements and providing data sovereignty assurance for EU customers.
Automated Backups
Section titled “Automated Backups”Database backups are performed automatically on a continuous schedule. Backups are encrypted and stored in geographically separate locations from primary data to ensure recoverability in disaster scenarios.
Secrets Management
Section titled “Secrets Management”All platform credentials and sensitive configuration are stored in dedicated, access-controlled secrets infrastructure — never in source code, configuration files, or application logs.
Deployment Integrity
Section titled “Deployment Integrity”All platform updates are deployed through an automated, auditable pipeline. Every deployment is traceable to a specific, reviewed change. No manual server access is required or permitted for production deployments.
SOC 2 Readiness
Section titled “SOC 2 Readiness”The platform’s security controls — access management, encryption, audit logging, change management, and data handling — are designed to align with SOC 2 Type II trust service criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). Formal certification is on the compliance roadmap.
Audit Trail
Section titled “Audit Trail”Every significant action on the platform is logged in an immutable audit trail:
- Transaction classification changes
- Cost basis method modifications
- Journal entry creation and any corrections
- User access grants and revocations
- Data export events
- Workspace and company configuration changes
This audit trail provides the evidentiary foundation that auditors require to assess the integrity and consistency of accounting records produced by the platform.