PRIVACY POLICY
We do not disclose client non-public information to anyone, except as instructed to do so by clients in the normal course of our work, as agreed in our engagement agreement and work plan, or as required by law. Our engagement agreement lists examples of the type of public information we may share in the normal course of our work. We restrict access to stored non-public client information within our firm to those professionals for whom access is necessary to complete the work as agreed. We maintain specific physical, electronic, and procedural safeguards to guard your non-public information. If we receive a request for information from a third party, we forward that request to you for instruction. You have the option of referring the request to your attorney who may engage us directly. In that case we would follow your attorney’s instruction.
SECURITY
General communication security standards – You control the level of communication security standards based on the choices you make as explained in the first paragraph on “Communications” in our engagement agreement. We assume the highest level of security unless you indicate a preference otherwise. For example, we would normally use a secure document portal to share information unless you ask us to send it through email.
Custody of funds – If we may take physical possession of client funds or have custody of client financial accounts. That means that we have the authority to sign checks or make withdrawals. In some cases, we can authorize electronic payments under pre-negotiated written accounting services arrangements. If we act in joint roles, for example as Treasurer, Board member or Officer in addition to a role as an accountant/adviser, then the specific additional authority of that role would be disclosed in a separate written agreement.
Paper documents – We prefer not to take physical possession of original documents or physical documents that contain personal information. A PDF file or clear cell phone photo is always a better option. If we do take possession of a paper document, we will issue a receipt, usually through email, and arrangements for its handling and return are made in writing on an individual case-by-case basis. Private client data, passwords and account access details for client files are not stored on any of my local physical devices so that loss of a cell phone or computer, for example, does not pose a security threat.
Transfer of Private Data through secure portal– Online document transfer and storage is handled by a US-domiciled Internet security service called Verifyl. Clients’ files are protected by tough industry-standard security measures based on a secure 256-bit SSL encryption during transmission and files are encrypted at rest on the private US-based server. At all times, clients can view and access only their own documents. We also endorse the use of secure messaging and encrypted email as needed and on request.
Other cloud-hosted electronic data (handled by Adobe, Apple, CFS, Drake, Google and Microsoft) – PDF document scanning and security is provided by Adobe Document Cloud. Security for most of my work and client information is provided by Microsoft’s cloud-based storage platform incorporated into Microsoft Office 365. In other words, I am as secure (no more and no less) as any of the many similar professional businesses that operate on a Microsoft Office 365 platform. Microsoft publishes much more information about security on its web site. Email is handled through Microsoft or Google services. Tax processing data used by CFS Software and Drake Software is held on a single secure PC device.
Backups of Cloud-hosted data – We maintain “reverse backups” of cloud-hosted Private Data on physical hard drives that are maintained in multiple secure areas. This means that we periodically copy OneDrive and Google Drive to a hard drive kept in a safe.
Private Data on Physical Devices – Except for specific industry programs, CFS and Drake tax software, and as described in Backups section above, no Private Data is contained on our physical devices. We use encrypted hard drives on local machines, biological or other two factor authentication for each device that contains data.
Passwords and account access details – We use an industry-leading third-party password security company for separate offsite management of passwords and online account log in details. Unique randomly generated strong passwords are used for each web site and client account. These passwords are not stored on any of my devices. The master account password is not recorded anywhere.
PCI DSS – We often handle clients’ private bank card information in the normal course of our work. We maintain compliance with Payment Card Industry Data Security Standards, reviewed annually.
If you have questions or concerns about privacy, please contact Tony Novak at (856) 237-9199.