We do not disclose non-public personal information to anyone, except as instructed to do so by clients in the normal course of our work or as required by law. Our engagement agreement lists examples of the type of public information we may share in the normal course of our work.
We restrict access to stored non-public personal information to those professionals necessary to complete the work agreed upon and we maintain specific physical, electronic, and procedural safeguards to guard your non-public personal information.
General communication security standards – You control the level of communication security standards based on the choices you make as explained in the first paragraph on “Communications” in our engagement agreement. We assume the highest level of security unless you indicate a preference otherwise. For example, we would normally use a secure document portal to share information unless you ask us to send it through email.
Custody of funds – We do not take physical possession of client funds nor do we have custody of client financial accounts. That means that we do not have the sole authority to sign checks or make withdrawals. In some cases, we can authorize electronic payments under pre-negotiated written accounting services arrangements. If we act in joint roles, for example as Treasurer, Board member or Officer in addition to a role as an accountant/adviser, then the specific additional authority of that role would be disclosed in a separate written agreement.
Paper documents – We prefer to not take physical possession of original documents or physical documents that contain personal information. A PDF file or clear cell phone photo is almost always a better option. If we do take possession of a paper document, we will issue a receipt, usually through email, and arrangements for its handling and return are made in writing on an individual case-by-case basis. Private client data, passwords and account access details for client files are not stored on any of my local physical devices so that loss of a cell phone or computer, for example, does not pose a security threat.
Transfer of Private Data through secure portal– Online document transfer and storage is handled by a US-domiciled Internet security service called SecureFilePro. Clients’ files are protected by tough industry-standard security measures based on a secure 256-bit SSL encryption during transmission and files are encrypted at rest on the private US-based server. At all times, clients can view and access only their own documents. We also endorse the use of secure messaging and encrypted email as needed and on request.
Other cloud-hosted electronic data (handled by Adobe, Apple, CFS, Drake, Google and Microsoft) – PDF document scanning and security is provided by Adobe Document Cloud. Security for most of my work and client information is provided by Microsoft’s cloud-based storage platform incorporated into Microsoft Office 365. In other words, I am as secure (no more and no less) as any of the many similar professional businesses that operate on a Microsoft Office 365 platform. Microsoft publishes much more information about security on its web site. Email is handled through Microsoft or Google services. Tax processing data used by CFS Software and Drake Software is held on a single secure PC device.
Backups of Cloud-hosted data – We maintain “reverse backups” of cloud-hosted Private Data on physical hard drives that are maintained in multiple secure areas. This means that we periodically copy OneDrive and Google Drive to a hard drive kept in a safe.
Private Data on Physical Devices – Except for CFS and Drake tax software, and as described in Backups section above, no Private Data is contained on our physical devices.
Passwords and account access details – I use an industry-leading third-party password security company for separate offsite management of passwords and online account log in details. Unique randomly generated passwords with 8 or more characters are used for each web site and client account. These passwords are not stored on any of my devices. The master account password is not recorded anywhere.
Please call if you have any questions, because your privacy and security, our professional ethics, and the ability to provide you with quality financial services are very important to us.
A link to my privacy and security agreement is included in our engagement agreement. I am available to discuss any questions or concerns.