Bunker is SOC 2 Type II certified

SOC 2 is a security framework developed by AICPA that specifies how organizations should protect customer data from unauthorized access, security incidents, and other vulnerabilities. 

AICPA is The American Institute of Certified Public Accountants. They developed SOC 2 around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Learn more here : https://secureframe.com/hub/soc-2/what-is-soc-2

The certification also enforces strict security protocols that need to be followed by all employees on our team, such as 2 factor authentication across all our internal data and engineering infrastructure.

Bunker’s cloud computing service provider is Amazon Web Services (AWS)

AWS is the cloud provider of choice for over 90% of Fortune 100 and most Fortune 500 companies, including Netflix, General Electric, Bristol-Myers Squibb, Capital One, and more. 

“At AWS, security is our top priority. AWS is architected to be the most secure global cloud infrastructure […] This is backed by the trust of our millions of customers, including the most security sensitive organizations like government, healthcare, and financial services.”

Learn more here : https://aws.amazon.com/security/

To connect to Bunker, you provide standard personal details such as name and email address in a sign-up form on the website, and then log-in to your accounting system (QuickBooks Online, NetSuite, or Xero) so that Bunker can connect and sync data.

Bunker does not store your accounting system login information. Our access to your accounting system is purely programmatic and through highly regulated guidelines as stipulated by the accounting systems themselves. It is only used to authorize and establish a connection between Bunker and your accounting system. 

This is similar to how you’re able to log into certain applications by using your Gmail account – those apps do not store your Gmail login credentials, nor have access to your email.

Bunker will not be able to access your accounting system environment the way a user of your accounting system would. Note the earlier example regarding using a Gmail login to access an application. 

Bunker’s access to your accounting system is done through a programmatic handshake (Oauth API access). This is an industry standard practice for systems to integrate with one another safely and securely, and it is built by the accounting systems themselves to allow third-party software like Bunker to provide value-added services or products. 

Bunker will only have access to the data it pulls through the connection to populate your dashboards.

Bunker does not get admin access to your accounting software.

No. Data only flows one way: from your accounting system into Bunker. We ensure that there is not a need to have to audit whether your numbers are a function of your accounting, or Bunker – they will always be a function of your accounting.

No. Bunker automatically connects to your accounting system once you login and connect, pulls through the accounting data showcased in the dashboards (general ledger, invoices & bills, chart of account), and then automatically syncs the data on a daily (or more frequent) basis, to ensure that your data in Bunker is accurate and up to date. Bunker also automatically syncs your Chart of Accounts, meaning that when general ledger accounts are created, deleted, or moved across groups – these changes are reflected in Bunker as well.

Bunker connects to your accounting system via an API, and this API is also SOC 2 type II certified. 

An API, or Application Programming Interface, is like a bridge, as well as a set of rules, that allows different software systems to communicate with each other. 

Think of our app like a visit to a large library. You, as the user, are like a researcher who wants to find information about a specific topic. You approach the library’s reference desk (our app) and ask the librarian (the API itself) for the information you need. The librarian doesn’t write anything new or change the library’s collection; instead, they help you locate exactly what you need by quickly looking through a catalogue of books and pointing you to the right sections. The data is fetched and shown to you, without being modified in any way

The API is SOC 2 certified, and leverages multiple layers of security to ensure data is safe. For example:

Authentication and Authorization: Before our API can access or share any data, it requires authentication—this means the system or user trying to access the data has to prove they’re allowed to do so. APIs also use authorization to ensure that only the right people or systems can access specific information. Think of it like giving someone a key that only opens certain doors.

Encryption: Your data is encrypted at rest (storage) and during transit (network) from API to your dashboards, meaning that no-one else can read your data. It’s like sending a secret message in a language only a specific system with the correct key understands.

Secure Protocols: Like our website and application, our API uses an HTTPS security protocol. This is the same technology used in online banking and e-commerce transactions to keep information safe.

Our Privacy Policy, Terms of Use, and Data Protection information are all available on our website through this link, and are governed by the aforementioned SOC 2 certification.