Services
Bookkeeping & reconciliationTax return preparationPayroll processingFinancial reportingAudit supportVirtual CFO support
For CPA Firms
Why outsource to usDedicated offshore accountantTax season capacityData securityHow onboarding works
Industries
Real estate & propertyE-commerce & retailHealthcareConstruction & contractorsNonprofits
Company
About usCareers — we’re hiringBlog & resources
Book a call →
Home/For CPA Firms/Data Security

Data Security for Offshore Accounting — How We Protect Your Clients' Data

We don't offer security as a reassurance. we offer it as a documented, verifiable system. every control on this page is active on every engagement from day one — not something we activate when you ask for it.

Start a secure engagementOnboarding process →
✓ ISO 27001:2013
✓ ISO 9001:2015
✓ NDA every engagement
SOC 2 Type II in progress
Security controls

Six controls that protect your clients’ data at every point in the workflow.

Every control listed here is structural — built into how we operate, not layered on top as a policy document. a policy without an operational control is not security. See how this fits into our CPA firm engagement model.

Control 01
Mutual NDA executed before any access is granted
A bilateral confidentiality agreement is executed before your accountant receives any software credentials, client information, or file access. the NDA covers all client data, engagement details, and business information — and continues to apply after the engagement ends. this is non-negotiable and applies to every engagement without exception.
Control 02
Role-based software access — you control what we see
Your accountant is granted only the software permissions required for their specific work. in QBO, this is typically the Accountant role — which gives bookkeeping and reporting access without the ability to change billing details, invite users, or access admin settings. you grant access. you can revoke it instantly at any time. we never have more access than the task requires.
Control 03
All work performed within your cloud environment
Your accountant works entirely within your existing cloud infrastructure — QBO, Xero, your document portal, your shared drive. no client data is downloaded to local machines, stored on our internal systems, or transferred to any third-party environment outside your agreed workflow. the data stays in your environment throughout.
Control 04
ISO 27001:2013 certified information security management
Our parent organisation Nimblechapps Pvt. Ltd. holds ISO 27001:2013 certification — the international standard for information security management systems. this covers risk assessment processes, access control policies, incident management protocols, business continuity planning, and regular security audits. it’s a verified standard, not a self-assessment.
Control 05
Device and endpoint security on all work devices
All devices used by our accounting team are company-managed with enforced security policies — encrypted storage, screen lock requirements, remote wipe capability, and restricted USB access. personal devices are not used for client work under any circumstances. this is enforced at the device management level, not just policy.
Control 06
Communication only through agreed secure channels
Client data is never transmitted via personal email, messaging apps, or unsecured channels. all file sharing occurs within your established document portal — ShareFile, Google Drive with appropriate sharing restrictions, or your preferred secure method. communication defaults to your firm’s professional email environment.
The NDA

What our confidentiality agreement actually covers — not what you’d expect from a standard template.

Most service agreements have a generic confidentiality clause. ours is a standalone bilateral NDA specifically drafted for offshore accounting engagements where CPA firm client data is involved.

Bilateral. both parties are bound. we don’t ask for disclosure protection that we’re not willing to provide in return.
Covers all client data explicitly. not just "confidential information" — the NDA specifically names client financial data, tax returns, business records, and personally identifiable information.
Prohibits disclosure of the engagement itself. we are not permitted to disclose that we work with your firm — to anyone, for any reason, without your written consent.
Survives termination. confidentiality obligations continue after the engagement ends. there is no expiry on our duty of discretion regarding your clients’ information.
You can use your own template. if your firm has a standard NDA you use with vendors, we’re happy to sign yours. the protection of your clients matters more than whose document we use.
Key NDA provisions — summary
Definition of Confidential Information
Includes all client financial data, tax records, business information, personally identifiable information, and the existence and terms of the engagement itself.
Permitted use
Confidential information may only be used for the specific purpose of providing the agreed accounting services. no other use is permitted under any circumstances.
Non-disclosure obligation
Neither party may disclose confidential information to any third party without prior written consent. this includes disclosure that the engagement exists.
Data return / destruction
On termination, all confidential information in our possession is returned or destroyed as directed. confirmation of destruction provided in writing.
Survival period
Confidentiality obligations survive termination of the engagement indefinitely with respect to client financial data and personally identifiable information.
Request our NDA template →
Access control

You control what your offshore accountant can and cannot do in your software.

Role-based access means your accountant can do their job — and nothing else. the table below shows what the standard Accountant role in QBO allows and prohibits. you can restrict further if you choose.

Access is granted client-by-client. if you have 20 QBO clients and want your offshore accountant working on 5, you add them only to those 5. the other 15 remain invisible to them.

ActionYour accountantYou (admin)
View transactions & reports
Enter and categorise transactions
Bank reconciliation
Run and export reports
Change billing / subscription
Add or remove users
Access bank account credentials
Make payments or transfers
Delete transactions or audit trail

Table reflects standard QBO Accountant role. Xero and other platforms have equivalent role structures.

Certifications & compliance

Independently verified security and quality standards.

Certifications aren’t a checklist item for us. they’re the output of genuinely building the right systems — and the mechanism that allows us to prove it to you without asking you to take our word for it. Our jurisdiction and operating base — offshore accounting from India — sits behind an ISO-certified parent organisation with 11+ years of operational history. Review our full certification roadmap for the team credentials that sit behind every engagement.

✓ Certified
ISO 27001:2013 Information Security
The international standard for information security management systems. covers risk assessment, access controls, incident response, business continuity, and independent audit. held by Nimblechapps Pvt. Ltd. since certification.
✓ Certified
ISO 9001:2015 Quality Management
The international standard for quality management systems. ensures consistent delivery processes, documented procedures, error tracking, and continuous improvement protocols across all engagements.
In progress
SOC 2 Type II
Working toward SOC 2 Type II audit readiness. this will independently validate our security, availability, and confidentiality controls to the AICPA standard most commonly required by US enterprise clients.
✓ Standard practice
Mutual NDA — every engagement
Bilateral non-disclosure agreement covering all client data, business information, and engagement details. executed before any access is granted. survives engagement termination indefinitely for personal and financial data.
Incident response

What happens if something goes wrong — and how fast we respond.

A security policy without an incident response protocol is incomplete. this is our response procedure for any potential security concern — regardless of how minor it appears at the time of detection.

Ready to begin? Our onboarding process walks your firm through NDA execution, access setup, and a soft start within two weeks.

01
Detection & immediate access suspension
Any potential security concern triggers immediate suspension of the relevant access. this happens before assessment — the principle is contain first, investigate after.
02
Notification within 24 hours
You are notified within 24 hours of any suspected security incident that may affect your clients’ data — including incidents where we’re uncertain of the impact. we don’t wait for confirmation before informing you.
03
Assessment & scope determination
We determine what data may have been affected, how, and by whom. a written assessment is provided to you within 48 hours with specific details rather than general reassurances.
04
Remediation & documentation
The vulnerability or failure is remediated. a post-incident report is prepared documenting what occurred, how it was addressed, and what process changes prevent recurrence. provided to you in writing.
05
Regulatory notification support
If the incident requires notification to any regulatory body, we provide full documentation support. we do not manage the notification on your behalf — that remains your decision — but we provide everything you need to make it.

Security questions before you decide. good. ask them now.

Book a call and ask us anything about how we protect your clients' data. We'll answer every question specifically — not generally — and provide whatever documentation you need to satisfy your firm's due diligence requirements.

Book a discovery call

Or email us directly at accounting@nimblechapps.finance — no forms, no bots.