Freemi Books holds the most sensitive thing a business has — its books. We treat that responsibility with the seriousness it deserves.
Every connection uses TLS 1.3. Data stored in Firestore is encrypted at rest with AES-256 using Google-managed keys. Sensitive secrets (TrueLayer tokens, Stripe keys, the OpenRouter key) live in Firebase Secret Manager with per-secret IAM bindings.
Bank connections go through TrueLayer (regulated by the FCA and the Central Bank of Ireland). You enter your banking credentials on your bank's own site — never on ours. We receive a read-only token, stored encrypted, that we can revoke any time.
All bookkeeping data lives in Google Cloud's European multi-region (Firestore). Bank tokens stay on TrueLayer EU/UK infrastructure. We don't transfer your accounting data outside the EU/UK except via sub-processors that have signed Standard Contractual Clauses.
Every touch on your books — bank sync, AI categorisation, approval, period lock — lands in an immutable, cryptographically-chained audit log. Practitioners and Revenue auditors can replay everything that happened.
Workspaces are isolated at the Firestore rules layer: a member of workspace A literally cannot read workspace B's documents, even with the same Freemi account. Service accounts are scoped per backend.
We commit to disclosing material incidents to affected workspaces within 72 hours of detection — the GDPR threshold. The status page (freemi.ai/status, coming soon) records every minute of outage we've ever had.
Found something? We'd rather hear about it than learn the hard way. Email security@freemi.ai with reproduction steps. We commit to a substantive reply within 48 hours and a fix or mitigation within 14 days for medium-and-above severity issues. We don't pursue researchers acting in good faith.
Last updated 3 June 2026. Detailed sub-processor list lives on the Privacy page.