Security & Trust

Last updated: May 2026

At Paidnice, security is one of our highest priorities. Finance teams, business owners, accountants, and bookkeepers trust us with the data behind their accounts receivable, and protecting that data shapes how we build and operate.

Paidnice integrates natively with Xero and QuickBooks Online, processes over AU$15 billion in receivables on behalf of customers, and was named the Xero Global Small Business App of the Year 2025. The standards we meet to earn that trust are the standards we apply across our infrastructure, our application, and our team.

Our approach is grounded in the security requirements set by Xero and Intuit, aligned with globally recognized frameworks including ISO 27001 and the NIST Cybersecurity Framework, and continuously improving.

At a glance

A quick summary of the controls we operate and how we keep your data safe.

Control What we do
Encryption in transit TLS 1.2+ on every connection
Encryption at rest AES-256 (NIST-aligned)
Authentication MFA required for internal access; OAuth 2.0 with Xero and QuickBooks
Access controls Role-based, least-privilege, instant revocation, periodic reviews
Hosting All infrastructure hosted on Amazon Web Services (AWS)
Data isolation Logical tenant separation
Secure development OWASP Top 10, code review, automated scanning, regular patching
Penetration testing Independent testing conducted regularly
Audit logging Comprehensive, securely retained for investigation
Vendor standards Evaluated against ISO 27001, SOC 2, and similar credentials
Data deletion Promptly deleted on request, per policy and obligations
Incident response Documented policies and playbooks; transparent communication
Employee training Security awareness and secure-coding training
Compliance alignment Xero SSAM, Intuit security standards, ISO 27001, NIST CSF, GDPR
AI and customer data Customer data is never used to train external AI models

Our approach

We align our practices with the security standards required by the platforms we connect to: the Xero Security Standard for App Partners (SSAM) and the Intuit Developer security and compliance standards that govern apps on the QuickBooks App Store.

Beyond those baselines, we benchmark our controls against ISO 27001 and the NIST Cybersecurity Framework. You can read more about how we handle personal information in our Privacy Policy.

Key practices

Encryption in transit and at rest

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Customer data is encrypted at rest using AES-256, a NIST-approved standard.
  • OAuth tokens and API credentials for Xero and QuickBooks are securely stored and managed in line with both platforms' security requirements.

Authentication and access control

  • Multi-factor authentication (MFA) is required for all internal access to production systems.
  • We use OAuth 2.0 to connect to Xero and QuickBooks. Paidnice never sees or stores your accounting platform password.
  • Role-based access controls enforce the principle of least privilege across our team.
  • Periodic access reviews ensure only those who need access retain it.
  • Access can be revoked instantly when staff leave or customers offboard.

Hosting and infrastructure

  • Production infrastructure runs on Amazon Web Services (AWS), benefiting from AWS's enterprise-grade physical and network security.
  • AWS data centers meet independent compliance standards including ISO 27001, SOC 1/2/3, and PCI DSS.
  • Customer data is logically isolated to maintain tenant separation and integrity.
  • Production data is backed up regularly and stored redundantly across multiple availability zones. Backups inherit the same encryption and access controls as production.

Data handling and minimization

  • We follow strict data minimization. Paidnice only accesses the subset of accounting data needed to operate reminders, statements, fees, payment plans, escalations, and reporting.
  • We do not store full payment card information. Card processing is handled by Stripe, which is PCI DSS Level 1 certified.
  • We do not collect health, biometric, or other special category data.
  • Customer data is promptly deleted on request, in line with our retention and compliance obligations.

Secure development and vulnerability management

  • Developers follow secure coding standards based on the OWASP Top 10, covering SQL injection, XSS, authentication flaws, and other common vulnerabilities.
  • Code is peer-reviewed before it ships to production.
  • Automated security scanning runs on every build, and dependencies are continuously monitored for known vulnerabilities.
  • We engage independent firms to conduct penetration testing on a regular cadence.

Monitoring and audit logging

  • Production systems are continuously monitored for anomalies at the network, application, and transaction levels.
  • Audit logs are maintained securely and retained for traceability and investigation.

Third-party vendors

  • We integrate with selected providers for support, analytics, payments, and infrastructure, including AWS, Stripe, Intercom, and Mixpanel.
  • We evaluate every vendor against high security standards, including data handling, encryption, and recognized credentials such as ISO 27001 and SOC 2.
  • Integrations are limited to partners that meet strong security and privacy standards.

Employee training and culture

  • Every employee completes regular security training covering phishing awareness, secure data handling, and incident reporting.
  • Engineers receive additional secure-coding training. Security is part of our onboarding and ongoing development cycles.

Compliance alignment

  • Our controls are designed in alignment with ISO 27001 and the NIST Cybersecurity Framework.
  • We routinely assess our practices against the privacy expectations of GDPR and similar regimes.

Responsible AI

We use AI inside Paidnice to improve workflow efficiency, and we follow best-practice recommendations for responsible AI use.

  • No external training. Customer data is never used to train or fine-tune external AI models.
  • Controlled use. AI is applied to specific automation tasks, with strict boundaries to protect privacy.
  • Transparency. We're open about where AI is used inside the product.
  • Human in the loop. Finance teams and business owners retain control over what gets sent and when.

Independent accreditations

We're accredited by the platforms we integrate with, each requiring independent review of our security practices.

Vulnerability disclosure

We welcome security reports from the community. If you believe you've found a vulnerability in any Paidnice system, please email hello@paidnice.com. We'll investigate promptly and take appropriate action.

Breach notification

In the event of a security incident affecting customer data or integrated third-party services (such as Xero, QuickBooks Online, or other APIs), Paidnice will notify affected customers and partners as soon as reasonably possible, in line with applicable laws.

Company directors are accountable for ensuring a timely, transparent response. Paidnice will take all reasonable steps to preserve evidence relevant to the incident, including access logs and system records, to support a thorough investigation. Notifications may be provided by email, in-app message, or public notice depending on the severity and scope.

Ongoing commitment

Security is never finished. We continuously review and improve our policies, controls, and practices as threats and customer expectations evolve.

For more information, including copies of our policies and procedures, contact us at hello@paidnice.com.

Paidnice LogoLogo
Paidnice is award-winning accounts receivable automation for finance teams using Xero & QuickBooks. Reduce your debtor days, and build a consistent, best practice recievables process.

Request an AI summary of Paidnice

ChatGPT Claude Gemini Grok Perplexity
Product
Add Late Fees & Interest
Auto Send Statements
Email & SMS Reminders
Escalations
Customer Payment Portal
New
Payment Plans
New
AR Insights & Reporting
New
Quote Reminders
Prompt Payment Discounts
SMS Reminders
Send Statements by Post
Accounts Recievable Software
Debt Collection Software
Credit Control Software
Dunning Software
AR Automation
AR Automation For
Managed Service Providers
Wholesale & Distribution
Law Firms
Property Management
HOA Accounting Software
Marinas & Drydocks
Integrations
Xero
QuickBooks
Stripe
Netsuite
HubSpot
Pipedrive
Zapier
Pinch
Custom Payment Links
Custom Invoice API
All Integrations
Resources
Getting Started
Watch a Demo
Support
Find an Expert
Invoicing Mistakes Guide
AR Best Practices Guide
AR Dictionary
Late Fee Laws State
Usury Laws by State
Statute of Limitations on Debt by State
State Economic Dashboard
AR Statistics Dashboard
Find Accounting Events
Late Fee Finder
Paidnice ROI Calculator
Days Payable Calculator
Payment Plan Calculator
Tools
DSO Calculator
Net 30 Calculator
AR Turnover Calculator
Bad Debt Expense Calculator
AR Aging Analysis Tool
Inventory Days on Hand Tool
Late Payment Interest Calculator
UK Statutory Interest Calculator
EU Late Payment Directive Calculator
Early Payment Discount Calculator
US Tariff Calculator
Cash Collection Cycle Calculator
Invoice Factoring Calculator
Collection Efficiency Calculator
Invoice Generator
Estimate Generator
Quote Generator
PO Generator
Credit Note Generator
Company
About us
Success Stories
Contact
Partner Program
Reviews
Blog
© 2026 Paidnice
TermsPrivacyCookiesSecurity & Trust