All data in transit is encrypted via TLS 1.2 or higher. Data at rest is encrypted using AES-256. QuickBooks OAuth tokens are stored in an isolated, access-controlled secrets manager.
Production system access requires multi-factor authentication. All access events are logged and retained for 90 days. Logs are reviewed for anomalies weekly.
We use OAuth 2.0 with a minimal scope (read/write transactions only). Tokens are never transmitted in URLs, never logged, and are revocable at any time from your Intuit connected apps dashboard.
Migo is hosted on Render with a PostgreSQL database on Neon. Both providers maintain SOC 2 Type II compliance. Data is stored in US-East region.
Client data is retained while the account is active. Upon account closure with a deletion request, data is permanently removed within 30 days.
Security vulnerabilities or concerns: hello@migo.polsia.app