Security built into everything we do.

ISO 27001:2022 certified. End-to-end encrypted. Zero local storage. We built our operating model around eliminating the data security objection, not just addressing it.

Schedule a Discovery Call View Security Stack
ISO
27001:2022 Certified
4
Security layers, physical to legal
6
Specific controls, zero exceptions
100%
NDA coverage, every employee, day one

The NetBounce security stack.

Every layer addresses a different vector of risk. Together they meet the security expectations of the most data-sensitive accounting firms and businesses.

Layer 1
Physical Security
Hardware-level protection before data reaches the network.
24/7 CCTV, full facility, all workstations
Biometric + access card entry
No personal phones at workstations
No USB storage, ever
Screen privacy filters
Dedicated company devices only
Layer 2
Network Security
All traffic encrypted. Open internet disabled during work hours.
Company-managed VPN, mandatory
Open internet disabled at network level
Firewall, approved platforms only
All connections monitored and logged
Zero unmonitored connections
Network segmentation per client
Layer 3
Access Controls
MFA mandatory. Role-based. No single-factor logins permitted.
MFA mandatory, every platform
No single-factor logins, ever
Role-based access, client-specific
Formal access provisioning
Password policy via management tool
Session timeouts on all systems
Layer 4
Legal & Contractual
Every protection backed by legally binding agreements.
NDA signed before day one
Client-specific confidentiality terms
Data handling documented pre-engagement
ISO 27001:2022, independently audited
Incident response documented + tested
Data deletion confirmed on request

Six controls. Zero exceptions.

Every control addresses a real data security risk that accounting firms and businesses face when working with offshore teams.

ISO Certification
ISO 27001:2022 Certified

Independently audited and certified against the international standard for information security management. Not aligned, certified.

VPN
Company-Managed VPN

All work traffic routes through our encrypted, company-managed VPN. Open internet is disabled at the network level during work hours.

MFA
MFA on All Systems

Multi-factor authentication mandatory on every account, platform, and system used to access or process client data. No single-factor logins, no exceptions.

CCTV
24/7 CCTV Monitored Facility

The entire work facility operates under continuous surveillance. Physical access is controlled through biometric and access card systems. All footage is retained.

NDA
NDA Signed by Every Employee

A comprehensive NDA covering client data and confidentiality obligations is signed by every NetBounce employee before their first day. No exceptions, no waivers.

Encrypted Transfer
Encrypted File Transfer Only

Client documents are transmitted exclusively through encrypted channels. Personal cloud storage, unprotected email, and messaging apps are prohibited.

How your data moves, safely.

From the moment data leaves your firm to the moment work returns, every step is encrypted, monitored, and access-controlled.

Your Firm
CPA / Accounting
Firm, US
Encrypted
NBG VPN Gateway
Monitored · Logged
Zero Open Internet
VPN Tunnel
Secure Workstation
NDA · CCTV · MFA
No Personal Device
Blocked
Open Internet
Disabled
↩ Completed work returns via encrypted channel
Encrypted Channel
 Open Internet, Disabled
ISO 27001 Certification

ISO 27001:2022 certified infrastructure.

Independently audited. Not aligned, certified. Our infrastructure is built to meet the international standard for information security management.

Security

Protection against unauthorised access via VPN, MFA, firewall, and physical access controls.

Availability

System uptime and redundancy planning to ensure consistent access for your offshore team member.

Confiden­tiality

Client information protected through NDA obligations, role-based access controls, and encrypted transfer only.

Incident response & data handling.

What happens when things go wrong, and how we handle your data at every stage.

NBG Security Operations Centre, incident-protocol.log
ISO 27001:2022
MODULES
incident_response
data_lifecycle
residency
due_diligence
SYSTEM STATUS
PROTOCOLS ACTIVE
ALL CONTROLS PASSING
INCIDENT_RESPONSE_PROTOCOL v2.3CONFIDENTIAL, CPA FIRM USE
QUERY What happens if there is a confirmed security breach?
Immediate escalation to designated security lead
Client firm notified within 24 hours of confirmed incident
Containment steps initiated concurrently, no delay
Full post-incident report and root cause analysis issued
SLA: 24HR CONTAINMENT: IMMEDIATE REPORT: WRITTEN + FULL
$
DATA_LIFECYCLE_PROTOCOL v1.8CONFIDENTIAL, CPA FIRM USE
QUERY How is client data handled at end of engagement?
All data on NBG-managed systems: secure deletion OR return to firm
Executed at engagement termination, per client preference
Written deletion confirmation provided on request
Data residency requirements accommodated throughout
SECURE DELETION WRITTEN CONFIRMATION DATA RETURN: AVAILABLE
$
RESIDENCY_COMPLIANCE_PROTOCOL v1.4CONFIDENTIAL, CPA FIRM USE
QUERY Can data residency requirements be accommodated?
Residency requirements documented during engagement setup
Agreed and confirmed before team member start date
Not retrofitted, built into engagement structure from day one
Healthcare, government-adjacent, and financial institution requirements supported
ALL REGIONS PRE-START DOCUMENTED HIPAA-ADJACENT: SUPPORTED
$
DUE_DILIGENCE_PROTOCOL v2.0CONFIDENTIAL, CPA FIRM USE
QUERY Can we conduct our own security assessment before engaging?
Yes. Security questionnaires, due diligence reviews, and IT assessments welcomed
ISO 27001:2022 certificate available on request
Full control documentation provided to compliance teams
Dedicated responses to your IT questionnaire, before you commit
ISO CERT: AVAILABLE CONTROL DOCS: PROVIDED IT REVIEW: WELCOME
$

Security questions we get from firms.

Direct answers, no hedging, no marketing language.

Certified. ISO 27001:2022 certification requires an independent external audit by an accredited certification body. We have completed that process. "Aligned" means a company follows the principles without being audited. We use the word certified because it is accurate.

Only your dedicated specialist and the direct management chain responsible for their quality and delivery. Access is role-based and provisioned specifically to your engagement. No other NetBounce staff can access your client data. Access is removed immediately at end of engagement.

Only the platforms your firm specifies, QuickBooks, Xero, Lacerte, Drake, Canopy, or any other tool you use. We do not introduce additional platforms without your approval. All access happens through your credentials provisioned specifically for your team member, through the VPN.

All work devices are company-managed and can be remotely wiped immediately. No client data is stored locally on any device, all work happens within client-controlled platforms accessed through the VPN. A lost device means no data is accessible.

Yes. We welcome security assessments, questionnaires, and due diligence reviews. We can provide our ISO 27001:2022 certificate, documentation of our controls, and answer detailed questions from your IT or compliance team. Contact us to arrange this before your engagement starts.

Our ISO 27001:2022 framework covers the same security domains as AICPA's Trust Services Criteria, security, availability, and confidentiality. We have specifically designed our controls around the security expectations of accounting firms and businesses, informed by direct feedback from our clients.

Have a question not covered here?

Schedule a 30-minute discovery call, no commitment. We'll walk through your specific security requirements and answer everything directly.

Schedule a Discovery Call

Ready to hire with confidence?

ISO 27001:2022 certified operations. NDA before day one. VPN-restricted workstations. Everything you need to staff with security.

Schedule a Discovery Call Schedule a Discovery Call