Big Tax Changes for Startups! The new tax bill could impact your startup. What should you do next?  Read the Blog →

Security

Kruze Consulting is dedicated to keeping our client’s finances and accounting data safe and secure.

SOC2 monitored by Drata

Security at Kruze

Kruze understands that no security program can eliminate all risk, but we are committed to protecting our clients’ data through strong security and privacy practices. Kruze uses established industry best practices to safeguard client data and works with independent experts to assess its security, privacy, and compliance controls. Kruze Consulting has achieved a SOC 2 Type II report.

Kruze maintains an actively managed security program aligned with current industry standards and best practices. In addition to maintaining SOC 2 attestation, we conduct background checks on all new staff, require annual third-party security training for all employees, and engage a third-party security provider to monitor employee devices for vulnerabilities and configuration issues. Designated personnel are responsible for overseeing Kruze’s information security program.

SOC 2 Type II Report

We work with an independent auditor to maintain our SOC 2 Type II report, which evaluates the design and operating effectiveness of our controls for the security, confidentiality, and privacy of our customers’ data.

Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria are the set of control criteria used to evaluate the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.

A SOC 2 Type II report reflects the operating effectiveness of our security controls over a defined period, providing our enterprise and venture-backed clients with strong, independent assurance.

Continuous Security Control Monitoring

Kruze Consulting continuously monitors more than 100 security controls across the organization. Automated alerts and evidence collection support ongoing compliance efforts and provide continuous visibility into our security posture.

Employee Training

Security is a company-wide endeavor. All employees complete annual security training delivered by a third-party provider and follow best practices when handling customer data.

Penetration Tests

Kruze Consulting works with industry-leading security firms to perform annual network and application-layer penetration tests.

Secure Software Development

Kruze Consulting uses a variety of manual and automated security and vulnerability checks throughout the software development lifecycle.

Data Encryption

Data is encrypted both in transit and at rest.

Data Storage

Kruze does not host client data on its own infrastructure. Client financial and accounting data is maintained within established third-party platforms that maintain their own independent security attestations, in addition to Kruze’s own security protocols as described herein, which are substantial.

Access Controls

Access to client data is governed by the principle of least privilege. Kruze enforces multi-factor authentication across its systems and utilizes single sign-on (SSO) for primary enterprise applications, granting access on a need-to-know basis. Access rights are reviewed regularly to ensure alignment with role requirements.

Business Continuity and Disaster Recovery

Kruze maintains documented business continuity and disaster recovery plans designed to support resilience and minimize service disruptions. These plans are reviewed and updated annually to reflect operational changes.

Incident Response

Kruze maintains a documented incident response framework with defined roles, escalation procedures, and remediation protocols to support a prompt and coordinated response to security events.

Background Checks

Every Kruze Consulting staff member goes through a screening process that includes multiple interviews and a comprehensive background check.

Vulnerability Disclosure Program

If you believe you’ve discovered a security issue in a Kruze Consulting service, please contact us at [email protected]. Our security team promptly investigates all reported issues.

No security program can eliminate all risk. While Kruze maintains the safeguards described on this page, the specific terms governing security, data handling, service levels, liability, and warranties are set out in the Master Services Agreement (MSA) entered into with each client. Use of this website is governed by our Terms of Use and Privacy Policy.

  Talk to a leading startup CPA