A concrete breakdown of the controls we run across every engagement, plus the specific compliance regimes (§7216, HIPAA, SOC 2, DPDP Act) we support. If your security review team has a questionnaire, most of the answers are on this page.
Core controls
Every offshore accountant signs an individual NDA covering confidentiality, IP assignment, and post-engagement data return. Layered on top of our corporate agreement.
All client work happens on controlled virtual desktops with no local storage. Accountants can see data but cannot download, screenshot, or email it out.
Accountants log into your accounting software under named users (not shared logins). Audit trails show exactly who did what, when.
When an engagement ends or a specific person rolls off, their access is revoked within 24 hours. No lingering permissions.
Multi-factor authentication is required on every software login, corporate account, and virtual desktop session. No exceptions.
All file transfer happens through encrypted channels (SFTP, your software's native file handling, Suralink, ShareFile). No Gmail attachments, no public links.
Under Internal Revenue Code §7216 and Treasury Regulation §301.7216-3(a)(3)(i)(B), a US tax preparer cannot disclose tax return information to a preparer located outside the United States without specific written consent from each individual taxpayer. The consent has a required format: 18-point type, specific paragraph language, and signed acknowledgment.
For every firm we support on tax preparation, we provide: (1) compliant consent template language to add to engagement letters, (2) guidance on obtaining consent before any tax data is shared with offshore preparers, (3) documentation support for firms that want to log consent collection as part of their engagement process. Violations carry civil penalties up to $1,000 per return plus potential criminal exposure – this is not a compliance area to skip.
The AICPA Code of Professional Conduct §1.150.040 requires CPA firms to disclose to clients before confidential information is shared with a third-party service provider. This is an ethical rule, not statutory, but state boards can discipline firms that skip it. Most firms we work with include the disclosure in their engagement letters; we provide sample language.
For healthcare clients with PHI exposure (and for accounting firms serving healthcare clients), we sign Business Associate Agreements, implement required technical safeguards, and maintain audit logs meeting the HIPAA Security Rule. Enhanced controls for HIPAA engagements add about 10–20% to base rates.
For SaaS and enterprise clients where their own SOC 2 audit flows down to service providers, we support the Common Criteria (security) and Availability trust principles. We can provide evidence packages on request including access control, change management, incident response, and vendor management documentation.
India's Digital Personal Data Protection Act (2023) gives data handled by Indian entities comparable protections to GDPR. Our India operations comply with DPDP requirements on data processing, consent, breach notification, and data subject rights.
Republic Act 10173 governs data privacy in the Philippines. Same structure as DPDP – notification, consent, lawful basis for processing, breach reporting, data subject rights.
Common vendor security review questions and where we stand:
| Question | Status |
|---|---|
| Background checks on accountants | Yes, at hire and annually |
| NDAs on each accountant | Yes, individually signed |
| MFA on all access | Yes, mandatory |
| Local data storage on accountant devices | Disabled via virtual desktops |
| Geographic data residency | India + Philippines; US routing available |
| Incident response plan | Yes, documented |
| Breach notification commitment | Within 72 hours |
| Data return at engagement end | Within 5 business days |
| Access logs available on request | Yes, monthly export |
| Cyber insurance in place | Yes, $3M policy |
For the broader offshore accounting context or to see how security fits into a specific service, see our tax preparation page (where §7216 comes up most) or audit support page.
FAQ
Client data stays in your accounting software and your cloud storage. We don't store client data on our systems. Offshore accountants access your systems through controlled virtual desktops; the data they see stays in your system.
No. Virtual desktops prevent local download. Accountants can see data on screen but cannot save files locally, copy to USB, or email attachments out. Screen recording is disabled except with client consent.
72-hour breach notification commitment. Incident response plan including client notification, forensic investigation, regulatory notification where required, and remediation. $3M cyber insurance in place.
Yes – we complete dozens of vendor security reviews per quarter. SIG Lite, CAIQ, and custom questionnaires are all standard. Typical turnaround: 3–5 business days.
Yes, for engagements structured to handle PHI. Additional controls apply including enhanced logging, role-limited access, and annual HIPAA compliance training for involved staff.
We support SOC 2 clients' own audits with evidence packages but we're not currently a SOC 2 Type II certified entity ourselves – we're in the process of formalizing this. If SOC 2 certification is a hard requirement, we'll let you know on the call.
Questions we haven't answered? Book the call and we'll send our security documentation package before your review meeting.
Book my call →