Security & Privacy
SyncFast handles financial data, and we take that responsibility seriously. This page explains how we protect your information.
Data Handling Principles
- Minimal data access: We only request the permissions necessary to sync payouts
- No credential storage: We never see or store your Stripe or QuickBooks passwords
- OAuth 2.0 only: All integrations use industry-standard OAuth, meaning you authorize access through Stripe and Intuit directly
- Encrypted in transit: All communication uses TLS encryption
Stripe Permissions
SyncFast connects to Stripe via Stripe's official OAuth flow. When you authorize, we receive a scoped access token with read-only permissions:
| Permission | What It Allows |
|---|---|
| Read balance | View your Stripe balance and payout history |
| Read payouts | Access payout details (amounts, dates, breakdowns) |
| Read charges | View charge details included in payouts |
What we cannot do:
- Move money or initiate transfers
- Modify your Stripe account settings
- Access customer payment methods or card details
- View personal information about your customers
You can revoke SyncFast's access at any time from your Stripe Dashboard under Settings → Connected Accounts.
QuickBooks Permissions
SyncFast connects to QuickBooks via Intuit's official OAuth 2.0 flow. We request the minimum scope needed:
| Permission | What It Allows |
|---|---|
| Read chart of accounts | Fetch your account list for mapping configuration |
| Create journal entries | Post payout entries to your books |
What we cannot do:
- Delete or modify existing transactions
- Access payroll, employee, or tax data
- Make payments or transfers
- View bank account numbers or sensitive financial details
You can revoke access at any time from your QuickBooks account under Settings → Manage Connected Apps.
What We Store
SyncFast stores the minimum data required to operate:
| Data | Purpose | Stored Where |
|---|---|---|
| OAuth tokens | Authenticate API calls to Stripe / QB | Encrypted database |
| Stripe payout IDs | Prevent duplicate syncs | Database |
| Sync history & status | Dashboard display and troubleshooting | Database |
| Account mapping config | Route transactions to correct accounts | Database |
| Email address | Login and notifications | Database |
What we do not store:
- Stripe or QuickBooks passwords
- Customer payment information
- Full transaction details (only payout-level summaries)
- Bank account numbers
Token Management
OAuth tokens are:
- Encrypted at rest in our database
- Automatically refreshed before expiration
- Immediately revoked on our end if you disconnect an account in SyncFast
- Scoped to only the permissions listed above
If a token cannot be refreshed (e.g., you revoked access externally), SyncFast stops syncing and notifies you to reconnect. See Troubleshooting for details.
Infrastructure
- Hosting: Application servers run in isolated containers on AWS
- Database: PostgreSQL with encryption at rest
- Secrets: API keys and tokens are stored in encrypted form, separate from application data
- Monitoring: Automated alerting for unauthorized access attempts
Your Rights
- Disconnect at any time: Revoke access from Stripe, QuickBooks, or SyncFast. Syncing stops immediately
- Delete your account: Removing your SyncFast account deletes all stored data, including OAuth tokens and sync history