Cloud accounting software stores client financial data ā€” tax records, payroll information, bank data, and personal identifiers ā€” on servers managed by third-party providers. Understanding how that data is protected, what your responsibilities are as a user, and how to configure cloud tools securely is a professional obligation for UK accountants, not just a technical preference.

This guide covers how cloud accounting software protects data, what security responsibilities remain with you, and the configuration steps that significantly improve your security posture.

How cloud accounting software providers protect data

Established cloud accounting providers ā€” Xero, QuickBooks, Sage, FreeAgent ā€” invest heavily in security infrastructure. Understanding what they provide helps you understand what you still need to configure and manage yourself.

Data encryption: reputable providers encrypt data at rest (stored data) and in transit (data moving between your browser and their servers). Encryption at rest typically uses AES-256; data in transit uses TLS 1.2 or higher. This means even if a server were compromised, the raw data would be unreadable without the encryption keys.

Physical security: cloud providers host data in secure data centres with physical access controls, redundant power, environmental controls, and security monitoring. Xero uses Amazon Web Services (AWS) and other enterprise data centre providers; QuickBooks uses Intuit's own infrastructure.

Availability and disaster recovery: cloud providers maintain multiple copies of data across geographically separated data centres, providing resilience against localised outages. Recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined in their service terms.

Security testing: established providers conduct regular penetration testing, vulnerability scanning, and code security reviews. Many publish security audit reports (SOC 2 Type II is the common standard) that accounting firms can review.

Incident response: providers have dedicated security teams and incident response procedures. Under the Data Processing Agreements they provide to accounting practices, they are required to notify you promptly of security incidents affecting your data.

What remains your responsibility

Cloud security is a shared responsibility model: the provider secures the infrastructure; you secure the access.

The most significant security risks for accounting practices using cloud software are not infrastructure failures ā€” they are credential theft, phishing attacks that compromise user accounts, and failure to configure access controls appropriately. All three of these are your responsibility, not the provider's.

Credentials: if an attacker obtains a user's email address and password for your cloud accounting software, the encryption and physical security are irrelevant ā€” they log in as an authorised user. Strong passwords and multi-factor authentication are your primary defence against this.

User access management: if you grant clients or junior staff excessive access to cloud systems, a compromised account can access more data than is necessary for the role. Correct permissions are your responsibility to configure.

Third-party integrations: every app connected to your accounting software via API is another potential attack surface. Reviewing and limiting integrations is your responsibility.

Phishing and social engineering: the most common route to compromised cloud accounts is phishing ā€” staff clicking a malicious link or providing credentials to a fake login page. User awareness training is your responsibility.

Multi-factor authentication: non-negotiable

Multi-factor authentication (MFA) requires a second verification step beyond a password ā€” typically a code sent to a mobile phone or generated by an authenticator app ā€” before access is granted. MFA is the single most effective technical control against unauthorised account access.

For accounting practices using cloud software, MFA should be enabled on every account ā€” for staff, for clients who access shared accounting systems, and for any platform that holds client financial data.

Xero: MFA is available and configurable by the account owner. Xero Practice Manager can enforce MFA for all staff using the practice's Xero environment.

QuickBooks Online: MFA is available and strongly recommended; Intuit has been progressively rolling out mandatory MFA requirements.

Sage: MFA is available across Sage's cloud products.

Practice management software (Karbon, TaxDome, Iris): MFA should be enabled and enforced.

Email (Gmail, Outlook, Microsoft 365): MFA is essential ā€” most cloud service credential theft occurs through compromised email accounts that are then used for password reset attacks.

If your practice does not have MFA enabled across all cloud tools, enable it as an immediate priority. This single step addresses the most common attack vector against accounting firms.

User access controls

Apply the principle of least privilege: every user (staff, client, integration) should have access only to what they need to do their job, and no more.

In Xero:

  • Xero's user roles include: Standard User, Adviser, Read Only, and Invoice Only. Grant Adviser-level access only to staff who need it. Use Read Only for client reporting access.
  • Regular review of user lists ā€” remove access for former staff, adjust access when roles change.

In QuickBooks:

  • Similar role-based access: admin, company admin, master admin, and various limited roles. Audit user access annually.

For client access:

  • Grant clients access to their own organisation only.
  • Never give clients admin-level access unless they are managing their own accounts without practice assistance.
  • Review and revoke client access when the engagement ends.

Reviewing third-party integrations

Every app connected to your accounting software via the App Store is a potential security risk. If an integrated app has a security breach, the attacker may be able to access your accounting data through the API connection.

Conduct an annual review of all active integrations:

  • Remove integrations for apps you no longer use.
  • Review the permissions granted to each integration (does the document capture app need to create, read, update, and delete records, or just create?).
  • Check that each integration app has a current, signed Data Processing Agreement.

Fewer integrations mean a smaller attack surface. Remove any integration you cannot justify. For more on AI tools and technology for UK accountants, including how to evaluate app integrations safely, see our full AI and Tech hub.

Security monitoring and alerting

Cloud accounting software provides audit logs of user activity. Review these periodically for:

  • Login attempts from unexpected locations.
  • Access at unusual times (weekend or late-night access that does not reflect normal working patterns).
  • Bulk data exports or large numbers of records accessed in a short period.
  • New user accounts created without your knowledge.

Set up login alerts where the platform provides them. If you receive an alert about a login from an unfamiliar location or device, treat it as a potential incident and investigate immediately.

Key takeaways

  • Cloud accounting software providers are responsible for infrastructure security (encryption, physical security, availability); you are responsible for access security (credentials, MFA, user permissions).
  • Multi-factor authentication is non-negotiable ā€” enable it on every cloud platform, for every user. This single step addresses the most common attack vector.
  • Apply the principle of least privilege: every user and integration gets access only to what they need, and access is reviewed regularly.
  • Review third-party integrations annually ā€” remove apps you no longer use to reduce your attack surface.
  • Monitor platform audit logs for unusual login activity, bulk exports, and unexplained account changes.

Frequently asked questions

Is cloud accounting software less secure than desktop software?

No. Established cloud accounting platforms generally have higher security standards than desktop software, because they are maintained by dedicated security teams, updated continuously, and hosted in enterprise data centres with physical and digital security controls that most practices could not match with on-premise infrastructure. The risks in cloud accounting are primarily access-related (compromised credentials), not infrastructure-related ā€” and these are addressed by MFA and good access management.

What happens to client data if a cloud accounting software provider goes out of business?

Reputable providers include data export provisions in their terms of service and give customers time to export data before service termination. Review the data portability terms in your subscription agreement. For major providers (Xero, QuickBooks, Sage), the commercial scale makes sudden closure very unlikely, but you should maintain the ability to export client data in a portable format (CSV, JSON, API export) as a contingency. Keep regular data exports for critical client files.

Who is responsible if a cloud accounting provider has a data breach affecting my clients?

The provider is responsible for the breach of their infrastructure. You are responsible, as the data controller, for notifying your clients and the ICO if the breach meets the notification threshold under UK GDPR. Your Data Processing Agreement with the provider should include an obligation for them to notify you promptly of any breach affecting your data, and to assist you with your GDPR notification obligations.

Should I use a password manager for cloud accounting access?

Yes. Password managers (such as 1Password, Bitwarden, or Dashlane) generate and store strong, unique passwords for each service. This eliminates the common practice of reusing passwords across services, which means a breach on one platform cannot be used to access others. For accounting practices where multiple staff share access to certain platforms, business-tier password managers support shared vaults with appropriate access controls.

How should I handle the security of clients accessing their own Xero or QuickBooks accounts?

Advise clients on MFA setup when you configure their accounting software access. Include a standard recommendation to enable MFA in your client onboarding documentation. Do not manage clients' MFA settings or store clients' login credentials yourself ā€” the client is responsible for their own account security. If a client's account is compromised, support them through the recovery process but ensure the security failure is documented.