data security is the second most common reason CPA firms don’t pursue offshore accounting — quality is first — and it is the concern most often answered with vague reassurance rather than specific information. “we take data security very seriously” is not useful. it doesn’t tell you anything about what is actually being protected and how.

this guide gives CPA firms a specific, practical understanding of the data security landscape for offshore accounting. what the real risks are. what structural controls actually reduce them. what an NDA needs to cover. what ISO 27001 actually means. and what questions to ask any offshore accounting provider before you hand over access to your clients’ financial data.

The real risks — what they are and what they aren’t

the first step is being precise about what you’re actually protecting against. the data security conversation in offshore accounting is often too general to be useful. here’s a more specific breakdown.

Risks that are real
Inappropriate access.an offshore accountant has access to your clients’ financial data — bank balances, revenue figures, payroll records, tax information. if access isn’t controlled at the role level, that data is accessible beyond what the work requires.
Data exfiltration. if an offshore accountant can download files to a local device, data can leave the engagement without your knowledge. this is the risk that structural controls address most directly.
Insufficient confidentiality obligations. without a specific, enforceable NDA, confidentiality is based on expectation rather than contract. if something goes wrong, you have no legal basis for a claim.
Human error. incorrect data shared with the wrong recipient, files uploaded to the wrong folder, or client data discussed in an insecure channel. this is a process risk, not a technology risk.
Risks that are often overstated
Geography.“India is less secure than the US” is not a factual security assessment — it is a geographic assumption. ISO 27001:2013 is a geography-neutral process standard. a US-based provider without ISO 27001 certification is not inherently more secure than an ISO-certified provider in India.
Being offshore in general. if an offshore accountant works inside your cloud software (QBO, Xero) and cannot download data to a local device, the data never leaves your cloud environment regardless of where the accountant is physically located.

Access controls — how to structure software access for offshore teams

the most effective security control for offshore accounting engagements is role-based access within your existing software. this is structural — it’s built into the platform, not dependent on the provider’s word.

QuickBooks Online Accountant role. grants full bookkeeping and reporting access. explicitly restricts billing management, user administration, and bank credential access. the accountant can post transactions, reconcile accounts, run reports, and create journal entries. they cannot change your subscription, add or remove users, or access the bank credentials that fund connected bank feeds.

Xero Adviser role.equivalent to QBO’s Accountant role. full bookkeeping access without admin capability.

Per-client access. in both QBO and Xero, access is granted at the organisation level — you add the accountant to specific client organisations. an offshore accountant working on 10 of your 30 clients has access to those 10 organisations and nothing else.

“if an offshore accountant works inside your cloud software and cannot download data to a local device, the data never leaves your cloud environment — regardless of where the accountant is physically located.”

No local download capability. cloud-based accounting software does not require files to be downloaded to complete bookkeeping work. all work is performed within the platform. if an offshore provider asks for exported files to be sent by email rather than working within your software directly, that is a data control gap — not a minor preference.

NDA standards — what to require and why

a generic NDA is not sufficient for an offshore accounting engagement. here is what a purpose-built NDA for this context needs to cover.

Scope of confidential information.specifically cover client financial data, client identity, client business information, and any data accessed through your firm’s software. a generic “confidential information” definition may not be specific enough for accounting data.

Purpose limitation. the offshore accountant is permitted to use client data only for the specific work of the engagement — not for any other purpose, not shared with any third party.

Data handling obligations. specific obligations on how data is stored, transmitted, and disposed of. prohibition on local storage of client data.

Duration. confidentiality obligations should survive the end of the engagement — typically in perpetuity for client financial data, or for a defined period of not less than 5 years.

Mutual structure. a mutual NDA is standard in professional service engagements. it protects both parties and signals that the provider takes the obligation seriously. a provider who offers only a one-way NDA is signaling something about how they view the relationship.

Before you grant access

the NDA should be signed before any access is granted — not after onboarding, not once the first client file is underway. access granted before an NDA is executed is access granted on expectation alone. no reputable offshore accounting provider should object to this sequence.

ISO 27001 — what the certification covers and why it matters

ISO 27001:2013 is the international standard for information security management systems. it is not a product certification or a technology certification — it is a process certification that requires an organisation to demonstrate that it has a systematic approach to managing information security risks.

what ISO 27001 certification means in practice:

Information assets identified and risks formally assessed
Information security controls documented, implemented, and monitored
Access controls and incident response procedures in place and tested
Business continuity plans documented and operational
Independent accredited certification body has audited and confirmed controls are operating effectively
Ongoing surveillance audits and three-year re-certification required to maintain status

for CPA firms, ISO 27001 certification in an offshore provider is the most reliable external validation that information security is managed systematically rather than informally. the certification body is independent — the provider cannot issue it to themselves. it is worth asking for the certification body’s name and verifying the certificate directly.

Encryption and secure file transfer — practical protocols

In-platform work (the preferred approach).if your offshore accountant works entirely within QBO, Xero, or your tax software, data transmission is handled by the platform’s own security infrastructure. no additional file transfer protocol is required — the security is already built in to the tools your clients are paying for.

When file transfer is necessary. for documents that need to be shared outside the accounting platform — source documents, bank statements, payroll reports — the transfer should use an encrypted channel: your existing client portal (ShareFile, Google Drive with appropriate permissions, Dropbox Business). email attachments for sensitive client data are not appropriate, regardless of how common they are in practice.

No USB or local storage. offshore accountants working in cloud-based software have no reason to use USB drives or local storage for client data. if local storage is part of the workflow, it is a gap — not a minor operational detail. ask specifically about this before the engagement starts.

Questions to ask any offshore accounting provider

ask these before you grant access to anything. the specificity of the answers will tell you as much as the answers themselves.

Due diligence checklist — data security
1
ISO 27001 certification.do you have ISO 27001 certification? can you provide the certificate and the certification body’s name for verification?
2
Software access role. walk me through the access controls for my accounting software — specifically, what role will your accountant be added as?
3
Local storage policy.will any client data be stored locally on your accountants’ devices? if so, what controls govern that storage?
4
NDA terms. what does your NDA cover? can I see the standard NDA before we proceed?
5
Incident history. has your firm ever had a data security incident involving client data? how was it handled?
6
Access termination. how do you handle termination of access when an engagement ends?

a provider that cannot answer these questions specifically — or that answers with reassurances rather than specifics — has answered the most important question: they haven’t thought about this carefully. the question isn’t whether a security incident has ever happened. the question is whether the provider has a structured approach to preventing one. vague answers indicate the answer is no.

How Nimblechapps Finance addresses each of these

our full data security documentation is at our data security page. the short version: ISO 27001 certified parent organisation, Accountant/Adviser role access only in your software, no local data storage, NDA executed before any access is granted, and the questions above answered specifically in writing on request.

the documentation exists because CPA firms should expect specifics, not promises. if you want to verify the ISO 27001 certification before the engagement begins, we’ll provide the certification body’s name and certificate number. if you want to see the NDA before the first call, we’ll send it. if you want to know exactly which role your accountant will be added as in QBO or Xero, we’ll walk through the access configuration before any access is granted.

this is not a particularly high bar for a professional service engagement. it is, however, a bar that a meaningful number of offshore accounting providers cannot clear with specifics.