ComplianceLive

Security & Access (2FA, RBAC, API keys)

Enterprise-grade security for a startup-grade subscription.

Two-factor authentication (TOTP), role-based access control, API keys with rotation, audit log per access, MFA enforcement, session management, secure password reset, encrypted at rest, RLS at the database.

In short

AccountsOS security includes: two-factor authentication (TOTP), role-based access control per trading entity, API keys with rotation and revocation, full audit log per access, MFA enforcement option, session management, encrypted-at-rest data, and database-level row-level security (RLS) so cross-entity data leakage is impossible.

2FA
TOTP
RLS
DB-level
API key
Rotation
Try Security & Access (2FA, RBAC, API keys) Free

Free for 14 days β€” no credit card required

Everything Security & Access (2FA, RBAC, API keys) can do

Authentication

  • Two-factor (TOTP) toggle
  • MFA enforcement option
  • Strong password policy
  • Secure password reset
  • Session management

Authorisation

  • Role-based access per trading entity
  • Team member invites with scoped roles
  • Audit log per access
  • Authorised email forwarder allowlist

API & MCP

  • API keys with rotation
  • Per-key audit log
  • Read-only MCP mode option
  • Rate limits per key

Data protection

  • Encrypted at rest
  • RLS at the database (no cross-entity leakage)
  • HMRC-compliant 6+ year retention
  • Account deletion with proper cascade

Cross-account tenant isolation

Your data is yours. Closed cross-account holes shipped May 2026.

  • Every table tenant-scoped via Postgres RLS
  • Cross-account tenant-isolation hardening migration (May 2026)
  • user_can_access_company() Postgres function on every query path
  • Junk-counterparty filter applied to Finn and MCP β€” no cross-tenant leakage
  • Bank-import counterparties prevented from polluting contact list
  • RLS infinite-recursion fixes on signup path

AAL2 MFA enforcement

Your dashboard requires step-up auth at the middleware level.

  • TOTP via any authenticator app (Authy, 1Password, Google Authenticator, …)
  • AAL2 enforcement in middleware β€” every dashboard request checks step-up
  • Per-session AAL state, not just per-login
  • Recovery code flow with one-time codes

Clean shutdown

If you ever want to leave, your data leaves cleanly with you.

  • Delete an individual company / trading entity with full cascade cleanup
  • Delete your whole account β€” every linked record removed in 30 days
  • Audit log preserved for the regulatory retention window only, then purged

Capabilities at a glance

Two-factor authentication (TOTP)

MFA enforcement option

Role-based access control

API key rotation + per-key audit

Read-only MCP mode

Authorised forwarder allowlist

Encrypted at rest

Row-level security per trading entity

Account deletion cascade (true delete)

Cross-account tenant-isolation hardening (May 2026)

AAL2 MFA enforcement at middleware

Company-level delete with cascading cleanup

Content-hash document dedup as a security primitive

Junk-counterparty filter on Finn + MCP

How It Works

1

Enable 2FA

Settings β†’ Security β†’ Enable 2FA. Scan a QR with your authenticator.

2

Invite team

Per-entity invites with scoped roles.

3

Manage API keys

Settings β†’ API Keys β†’ create, rotate, revoke.

4

Audit

Settings β†’ Audit Log β€” every access and change.

Real-world Use Cases

Multi-director security

Both directors require 2FA. Roles scoped per entity.

Read-only MCP for Claude Desktop

Generate a read-only API key for AI assistants β€” they can read but never write.

Departing team member

Revoke their access in one click. Audit log shows what they did before leaving.

Why founders pick this over the spreadsheet

Enterprise security defaults

RLS means accidents can't leak between entities

API keys are scoped + revocable

Audit log makes review trivial

Frequently Asked Questions

Can I enforce 2FA for my team?

Yes β€” MFA enforcement option in Security settings makes 2FA mandatory for every member.

How does row-level security work?

At the database (Postgres RLS) β€” every query is scoped to the active trading entity. A user cannot read another entity's data even by SQL injection or accidental query.

Are API keys scoped?

Yes β€” per-user, per-purpose, with rotation and revocation. Read-only mode available for AI/MCP keys.

Encrypted at rest?

Yes β€” managed Postgres with encryption-at-rest by the provider, plus encrypted backups.

What happens when I delete my account?

True cascade delete β€” all your trading entities, transactions, documents, settings and team invites are removed. We retain only what HMRC retention requires.

Explore more of AccountsOS

Audit Trail

Every change. Every actor. Every time.

Multiple Trading Entities

Run multiple businesses without paying for multiple accounting subscriptions.

Claude Desktop & MCP

Your books inside the AI assistant you already use.

Email Forwarding & Team Allowlist

Forward to documents@accounts-os.com β€” receipts, invoices, statements all flow in.

Ready to try Security & Access (2FA, RBAC, API keys)?

Get started with AI-powered accounting for your UK limited company.

Get Started Free

Free for 14 days β€” no credit card β€” cancel anytime