API Security

API Security

Shared Responsibility

At AccountingSuite™ we take data security seriously, and we expect our Integration Partners to use the best efforts in securing our user data. Our responsibility is to ensure that AccountingSuite™ products and services are secure. Your responsibility is to ensure that you follow secure practices for integrating with the AccountingSuite™'s software and services.


Privacy Policy and Terms of Use

All AccountingSuite™ Integration partners should maintain the latest Privacy Policy and Terms of Use on their website, and the latest URLs on the AccountingSuite™ App in the Developer Portal at all times.  

Integration Security

Integration Partners are required to use industry best practices to implement access and security controls in order to safeguard sensitive information, including Application Keys. Integration Partners are required to implement security best practices in their application for all endpoints when writing to, or reading from, an AccountingSuite™ endpoint.

Integration partners are required to have TLS and HTTPS enabled for all pages AccountingSuite™ end-users are served. 

A non-exhaustive list of the best practices include:
  1. Implementing Cross-Site Request Forgery (CSRF) protection on redirect URLs;
  2. Serving all redirect URLs using the Transport Layer Security (TLS) protocol; and

  3. Securely storing and transmitting Application Keys, Access Tokens, Authorization Codes, Refresh Tokens, Client Secrets and other credentials.

Notification for Security Breaches

Integration Partners are required to notify AccountingSuite™ by email to support@accountingsuite.com if/when any potential or actual breach incident is identified that may have compromised end-user  data (including personally identifiable information) or security tokens (such as integration keys).

Compliance

Integration partners should follow applicable laws and compliance policies, like CCPA, GDPR and other local compliance policies when working with AccountingSuite™'s client data. 
Some of the practices include:
1. Requesting and Retaining only the minimum data required for the integration;
2. Deleting data securely when retention is not needed anymore; and
3. Maintaining the provisions of our Privacy Policy;
4. Disclosing the retention scope and policy to your end-users.

Account Security

Integration Partners must have a strong password for their AccountingSuite™ account. If you are using Google to sign-in, ensure you have adequate protection in place for Google account access. Ensure that any AccountingSuite™ keys are stored/transmitted safely and securely, and that they are protected from accidental exposures.


Personally Identifiable Information

Ensure that data containing Personally Identifiable Information (“PII”) that belongs to AccountingSuite™ end-user accounts are redacted (as text or as image) before saving to your systems. If your application plans to send or receive PII using an AccountingSuite™ integration, please ensure your systems are compliant with security needs and compliance laws.


API Rate Limits

Please read our Rate Limit details here.

API Version

We send API/Webhook Version as part of Payload for you to make sure your application is parsing the correct response version. We are continuously improving our API features. By using the latest version, you can provide a consistent user experience, and stay up to date with improvements and fixes.


Backward Compatibility

As we add new and popular features, we enhance our API/Webhooks structure.

To effectively adapt to the backward compatible enhancements, we recommend developers to consider the following when developing the application:

  1. Adding new API/Webhook resources or endpoints;
  2. Adding new optional request parameters to existing APIs;
  3. Adding new response attributes to existing API/Webhook responses;
  4. Changing the order of attributes in existing API/Webhook responses;
  5. Changing the length or format of unique IDs in response (this length will not exceed 255 characters);
  6. Changing the length of values in response; and/or
  7. Adding new events for Webhooks.

Signature Secret Key

As part of our application registration process, we configure your application to use “Signature Secret Key” to help you identify received payload with malicious data that did not originate at AccountingSuite™, and to ensure the payload has not been tampered with in transit.

You can find this key next to the other Authorization keys generated by us after registration of your application. If it you are not able to find them, please create a support ticket to receive this key.

AccountingSuite™ generates a hash of the response's body with the Signature Secret Key and attaches it to Response payload's header. You should verify the signatures by creating the hash and comparing with the one from the message.


    • Related Articles

    • Data Security

      Data Security Protecting Your Data: Our Top Priority At AccountingSuite™, we recognize the critical importance of data security in today's digital environment. We are deeply committed to safeguarding the information entrusted to us by our clients, ...
    • Roles and Security

      Overview Access to modules in AccountingSuite™ is controlled via User Profiles.    Any number of User Profiles may be created containing the needed permission settings for a group of users.    Once a profile is created, it may be applied to one or ...
    • AccountingSuite™ Product Perks: August 2023 - User Roles & Security

      Welcome to the latest edition of "Product Perks," where we highlight innovative solutions from our ever-evolving software! This month we are introducing you to features and tools designed to boost security and provide you with more control than ever ...
    • AccountingSuite™ Release Updates: Jack Russell 5 Fall 2023: Integrations, Utilities, Security, and more! | September 14, 2023

      The first thing you'll notice when opening an account is our Jack Russell new splash image -- fall is here! Improvements have been made to the integrations page for the Bill.com cloud payables section. We have updated cloud banking messages in ...
    • API Limits

      Our APIs are rate limited to prevent abuse and ensure service stability. These limits are administered within AccountingSuite. Rate Limits Rate limits control the number of API calls your Application (identified by Client ID) can make within a given ...