Briefcase Infosec

Last updated: May 8, 2026

Last updated: 8 May 2026

Security and data protection are foundational to Briefcase. We work closely with leading UK accounting firms to safely deploy AI across their organisations and we apply enterprise-grade controls to protect all customer data.

🔒 ISO/IEC 27001:2022 Certified

Briefcase Tech Ltd is independently certified to ISO/IEC 27001:2022 - the leading international standard for information security management.

  • Certificate number: IS-IA-2026-05-05-01

  • Certifying body: Insight Assurance, LLC (IAS-accredited, MSCB-306)

  • Issued: 5 May 2026 · Valid until: 4 May 2029 · Next surveillance: 4 May 2027

  • Scope: The Information Security Management System (ISMS) supporting the design, development, deployment, operation, and support of the Briefcase AI-native SaaS platform.

A copy of our certificate is provided at the bottom of this page. Supporting documentation is available on request — email support@briefcase.so.

Summary:

  • Briefcase Tech Ltd is independently certified to ISO/IEC 27001:2022, the leading international standard for information security management.

  • Briefcase is fully UK and EU GDPR-compliant and hosts all data exclusively on European servers (AWS in Ireland), which are ISO 27001 and SOC 2 compliant.

  • AI models are used under strict zero-day retention agreements with no logging, storage or model training on customer data.

  • Customer data is secured by MFA, logically segregated and never shared between accounts or sold to third parties.

GDPR Compliance

Briefcase acts as a Data Processor on behalf of our customers, who are the Data Controllers under UK GDPR. This means customers determine the purposes and means of processing personal and financial data, and Briefcase processes that data solely on their instructions.

We support all UK GDPR rights and obligations, including access, rectification, deletion and breach notification within required timelines.

Data Policy & Retention

  • As long as you have an active Briefcase subscription, we will hold your and your clients' data, including all copies of invoices and receipts, on the Briefcase platform indefinitely.

  • If you cancel your subscription, we may permanently delete all data after 30 days unless legally required to retain it.

  • You may request deletion at any time via support@briefcase.so.

Security Controls

Our security controls are operated as part of the ISMS independently certified to ISO/IEC 27001:2022. We never share data between clients or practices, nor do we sell data to third parties. Specifically:

  • Data Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), including backups.

  • Data Segregation: Each customer's data is logically segregated at the database level and never shared between tenants or accounts.

  • Access Controls: Access to production data is limited to very few authorised Briefcase employees, with access logged and reviewed regularly, principles of least privilege applied and MFA enforced.

  • Zero data retention for AI: Third-party LLM providers are used under strict zero-day retention agreements with no logging, storage or model training on customer data.

  • Monitoring & Alerting: We maintain continuous infrastructure and application monitoring with immediate alerting, incident response processes, escalation procedures and timely customer notification where required. Automated vulnerability scanning runs multiple times per week to identify and address potential risks proactively.

  • Data Minimisation: We collect and process only the data strictly necessary to perform each task, ensuring minimal exposure and reducing the overall data footprint across our systems.

Multi-Factor Authentication (MFA)

  • Multi-Factor Authentication is enforced across all Briefcase accounts.

  • Users must set up MFA using either a standard TOTP authenticator app (such as Microsoft Authenticator, Google Authenticator, 1Password or Apple Passwords) or by using an email verification code.

  • Users are prompted to enable MFA on first login and may skip setup a maximum of two times. MFA is required whenever a new device is used and must be re-verified every 30 days.

Data Hosting

  • All customer data is stored exclusively in the EU, using AWS infrastructure in Ireland. Backups are kept for 7 days and are also stored in the EU.

  • Our hosting provider AWS is fully ISO 27001, SOC 2 and HIPAA compliant. You can read more about AWS compliance here.

AI Model Confidentiality

Customer data is never sold or used to train AI models.

  • We partner with OpenAI, Anthropic and Google to process data strictly under Zero Data Retention terms which means no logging, no saving, no training and no storage after inference.

  • We've attached the relevant signed addendums and agreements with OpenAI and Anthropic to this infosec report.

  • Google's Vertex AI supports zero-retention when configured correctly. Cached or logged data is disabled for our usage and we've attached the relevant policies confirming that this substantiates zero-data retention.

International Data Transfers & Sub-Processors

Briefcase uses a limited number of vetted third-party sub-processors to deliver its services. 

You can see the full list of sub-processors, what they do, where they are located and their data retention period in our Privacy Policy.

Below we summarise only those sub-processors located outside the UK and EU, together with the lawful transfer mechanism relied upon.

Stripe (Billing & Payments)

Stripe, Inc. – United States. Billing and contact information only (payments from customers to Briefcase). Stripe does not process end-user client accounting data unless a customer is directly billed by Briefcase.

Transfer mechanism:

  • UK adequacy via the EU–US Data Privacy Framework with UK Extension

  • Standard Contractual Clauses available as a contractual fallback under Stripe's Data Processing Agreement

Google (Vertex AI – AI Processing)

Google LLC – United States

Transfer mechanism:

  • UK adequacy via the EU–US Data Privacy Framework with UK Extension

  • Standard Contractual Clauses as a fallback under the Google Cloud Data Processing Addendum

Supplementary safeguards:

  • Zero Data Retention achieved through configuration (abuse-monitoring opt-out and project-level caching disabled). Supporting policy and configuration evidence is attached.

Anthropic (AI Processing)

Anthropic, PBC – United States

Transfer mechanism:

  • EU Standard Contractual Clauses with UK Addendum, incorporated via Anthropic's Data Processing Addendum

Supplementary safeguards:

  • Signed Zero Data Retention certificate confirming deletion of prompts and outputs post-inference (attached).

OpenAI (AI Processing)

OpenAI OpCo, LLC – United States

Transfer mechanism:

  • EU Standard Contractual Clauses with UK Addendum, incorporated via OpenAI's Data Processing Addendum

Supplementary safeguards:

  • Approved Zero Data Retention amendment confirming no logging, storage, or training on customer data (attached)

In all cases, transfers are limited, purpose-specific, and supported by contractual, technical, and organisational safeguards, including zero data retention for AI processing, materially reducing transfer risk.

More information can be found in our privacy policy and terms of service

Attachments

05 ISMS Certificate v1.0 - Briefcase Tech Ltd.pdf
Amendment (Briefcase Tech Ltd and OpenAI)-2.pdf
ZDR Certificate (Briefcase Tech Ltd and Anthropic Ireland, Limited).pdf
Abuse monitoring  _  Generative AI on Vertex AI  _  Google Cloud.pdf
Vertex AI and zero data retention  _  Generative AI on Vertex AI  _  Google Cloud.pdf