Blog
Written by

Naman Mathur
Published on
September 1, 2025
For us, security isn’t just a box to check. It’s part of how we build the product.
Stacks handles sensitive workflows, reconciliations, journal entries, and financial commentary, which are deeply integrated into our customers’ finance operations. This means that security and privacy cannot exist as a separate compliance layer; they must be embedded in the product from day one.
It Starts With the Team
We’ve built financial systems before, at scale.
Our team has helped build core infrastructure at companies like:
Uber (Payments and Fintech)
Plaid (Financial Data Infrastructure)
Mollie (Payment processing at volume)
Bunq (European mobile banking)
That experience shaped how we think about secure architecture, data isolation, and auditability. It also means we’ve seen how security failures happen when they’re bolted on late. So, at Stacks, we design for it upfront.
Security Is Baked Into the Product
We treat security as a first-class product requirement, not an afterthought. Here’s how that shows up:
Fine-grained access controls: Role-based access by workspace, entity, and module.
Audit trails everywhere: Every task, comment, and change is timestamped and immutable.
Data never leaves our cloud unless it's encrypted and controlled
Proactive anomaly detection: Not just for your books, but also for behaviors that might signal risk.
SSO and Identity Management: SAML 2.0 support and full control over account access.
Data residency and segregation: Your financial data is encrypted in transit and at rest.
More on our technical approach, here.
AI-Native, Privacy-First
Stacks is an AI-Native company. But we take an equally strong stance on data control, transparency, and privacy.
Let’s make it clear:
We’ll never share or sell your data.
Your data is never used to train public AI models.
Your data stays your data - always.
Our AI features are designed with strict boundaries. We train models using anonymized patterns, not customer-identifiable content. And we operate under a principle of zero trust by default, with strict access controls, encryption at every layer, and full auditability.
Enterprise Compliance Standards
We meet leading industry standards for financial data and enterprise security:
SOC 2 Type I certified, SOC 2 Type II is under observation
GDPR-compliant
Data encrypted at rest and in transit (AES-256, TLS 1.2/1.3)
Penetration testing and regular security audits
Vendor risk and supply chain reviews
These certifications aren’t static, they’re continuously tested and improved as part of our internal controls and operations playbook. In addition, we’re in the process of ISO certifications to meet EU standards.
Want to Go Deeper?
Visit our Security & Trust Center to:
Access our latest compliance reports
Download our security whitepaper
Request a detailed security overview for your IT or procurement team
Security isn’t a feature. It’s part of how we build.
And we’ll keep treating it that way because the integrity of your close depends on it.
Strengthening Our Security Foundation
Added: September 1, 2025
When we launched Security Is the Product in May, we shared how security isn't a feature but it's the foundation. Since then, we've taken this commitment even further.
What We’ve Achieved
ISO/IEC 27001:2022 Certification — validated our global information security management practices under the latest standard for resilience and risk management.
GDPR Compliance — reaffirming that privacy isn’t an afterthought; it's embedded in our design and operations.
SOC 2 Type II Certification — proving not just that our controls are well-designed, but that they work reliably over time.
Read how we continue building on our security promise.
Why This Matters
These certifications go beyond badges. They’re:
Verified trust - audited by recognized authorities in security.
Ongoing assurance - demonstrating consistent execution, not one-off checks.
Privacy by design - a promise built into how we operate.
Explore the full details in Stacks' Trust Center — your source for compliance reports and security documentation.