Try for FREE
Log in
DEMO Try for FREE

Security Policy

At Uku, security is a core value — not an afterthought. All data transmitted between your browser and Uku is protected with industry-standard encryption. We host on enterprise-grade cloud infrastructure in the European Union, and we continuously monitor, audit, and improve our security posture.

SOC II ISO/IEC 27001:2013 PCI DSS GDPR
AICPA SOC — SOC for Service Organizations

Physical Servers Security

Uku's production infrastructure is hosted on Akamai Cloud Computing (formerly Linode) in Frankfurt, Germany — within the European Union.

Our hosting provider maintains the following certifications and compliance standards:

  • SOC II — Service Organization Control Type II
  • ISO/IEC 27001:2013 — Information Security Management System
  • PCI DSS — Payment Card Industry Data Security Standard
  • EU-US Privacy Shield — Transatlantic data transfer framework
  • GDPR — General Data Protection Regulation compliance

Engagement of Other Data Processors

All third-party data processors are engaged under strict data processing agreements. Authentication and access controls ensure that the data controller maintains full control over personal data at all times.

We evaluate every sub-processor for security posture, compliance certifications, and data handling practices before engagement. A complete list of sub-processors is available upon request.

Data Security & Encryption

All data in transit is encrypted using TLS 1.3 with a SHA-256withRSA certificate. This ensures that every connection between your browser and Uku's servers is fully encrypted and authenticated.

User passwords are hashed using SHA-512 with a unique random salt per account. Passwords are never stored in plaintext and cannot be recovered — only reset.

Our application implements protection against common attack vectors including cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). All user inputs are sanitized and validated on both client and server sides.

Application Security

Uku's servers are protected by UFW firewall with a default-deny policy. Only explicitly required ports and services are exposed. SSH access is restricted to authorized personnel using key-based authentication only.

We maintain strict separation between staging and production environments. Sensitive configuration data is encrypted using AES-256 symmetric encryption and RSA 2048-bit asymmetric encryption for key exchange.

All deployments follow a code review process with automated security scanning before reaching production.

Product Security Options

Uku provides several configurable security options for your firm:

  • Multi-factor authentication (MFA) — supported via Google Authenticator, Microsoft Authenticator, and Azure Active Directory
  • Invitation-only access — new members can only join your organization through explicit invitation
  • Single authentication requirement — optionally enforce a single authentication method for all team members
  • Role-based access control — granular permissions for different team roles

Availability & Continuity

Uku is designed for high availability with 24/7 monitoring and automated alerting. Our team responds to critical incidents around the clock to minimize any disruption to your firm.

We maintain a comprehensive business continuity plan and disaster recovery procedures. Regular vulnerability assessments are conducted to identify and address potential risks before they impact service availability.

Reliability & Backups

Uku performs automated daily backups of all customer data. Backups are stored in geographically separate locations from the primary infrastructure to ensure resilience against regional outages.

Our recovery targets:

  • Recovery Time Objective (RTO): Under 8 hours during business hours
  • Recovery Point Objective (RPO): Under 4 hours during business hours

Backup integrity is verified regularly, and restoration procedures are tested to ensure data can be recovered when needed.

Security Audits

Uku undergoes independent security audits based on the OWASP Application Security Verification Standard (ASVS) 2.0. These audits cover the full application stack including authentication, session management, access control, and data protection.

Our development lifecycle integrates security at every stage — from code review and static analysis to dynamic testing before deployment. We also conduct regular penetration testing through qualified third-party security firms.

Credit Card Security

Uku does not store credit card information on its servers. All payment processing is handled by Braintree (a PayPal service), which is PCI DSS Level 1 certified — the highest level of payment security certification.

Credit card data is tokenized at the point of entry and never touches Uku's infrastructure.

Privacy Principles

Uku is fully compliant with the General Data Protection Regulation (GDPR). We uphold the following principles:

  • Data minimization — we collect only the data necessary to provide the service
  • Right to access — you can request a copy of all your data at any time
  • Right to erasure — you can request complete deletion of your account and data
  • Data portability — you can export your data in standard formats
  • Deletion policy — when you delete your account, all associated data is permanently removed within 30 days

Questions?

If you have questions about our security practices or need additional documentation for your compliance requirements, please reach out to our team at support@getuku.com.

For our SOC 2 compliance report and additional trust documentation, visit our SOC 2 page.

Get started with Uku today.

Elevate your efficiency with Uku, the powerful yet easy-to-use accounting practice management software.

Try free for 14 days
Rain Allikvee, Uku's co-founder

Let’s create a dream, where the team is happy, clients are well served and profits are fair.

Rain Allikvee / Uku’s co-founder