// Trust & Security Report
Bench Accounting (now part of Mainstreet / Employer.com)
Online bookkeeping and tax services for US small businesses. Sub-products: Bench Bookkeeping (software + dedicated human bookkeeper), Bench Tax (preparation, filing, year-round advisory). Now bundled with Mainstreet banking and entity formation.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.bench.co“Bench.co SOC 2 Type 1 2025 Audit [listed in trust center as a requestable document, trust center updated September 10, 2025]”
> Show 8 unconfirmed / not-held certifications
source: bench.coSecurity page claims 'Bench undergoes a SOC 2 Type 2 examination of our security controls against the AICPA defined standards on an annual basis' but the trust center (updated Sep 2025) lists only a 'SOC 2 Type 1 2025 Audit'. The Type 2 claim on the marketing page is unverified and conflicts with the trust center. This may reflect a regression after the Mainstreet/Employer.com acquisition. Graded held=false until the trust center confirms a Type 2 report.
source: bench.coSecurity page states 'The environment that hosts our services maintains multiple certifications for its data centers, including ISO 27001 compliance.' This is AWS/Azure's certification, not Bench's own. Host-vs-vendor: held=false for Bench.
source: bench.coNo GDPR compliance statement found on the security or privacy pages. Bench is explicitly a US-only service. Terms of Service include legacy EU consent language ('Customer consents to the transfer of such information outside of the European Union') rather than modern SCCs or EU-US DPF mechanisms. No DPA offered. GDPR posture is absent.
source: bench.coNo mention of HIPAA on the security page, privacy policy, or trust center. Bench serves US small businesses in general (not healthcare entities) and makes no HIPAA claim.
source: bench.coSecurity page states 'Our platform has been deliberately architected to limit the handling of payment card information.' Bench uses PCI-compliant third parties (Stripe) and does not claim its own PCI DSS certification.
source: bench.coSecurity page references FedRAMP authorization for 'The environment that hosts our services' (i.e., AWS), not Bench itself. Host-vs-vendor: held=false for Bench.
source: trust.bench.coNo public evidence of ISO 42001 certification.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (hosted on AWS and Microsoft Azure)
Security page states: 'Prompts, responses, and data accessed through Bench's AI Assistants remain within Bench's isolated boundaries and aren't used to train public or third-party AI tools or LLMs.' Terms of Service (section 8.3) add: 'Any data processed by AI/ML tools is anonymized, truncated, or otherwise limited to the extent necessary to perform the required tasks and AI/ML tools are run in secure environments without sharing Customer Data externally.' Privacy policy references Azure OpenAI and Stream Chat as service providers but does not explicitly confirm the no-training commitment - a minor inconsistency worth noting.
// Security controls
Access control
Least-privilege access policies; employees prohibited from accessing customer data unless necessary
bench.coThird-party financial integrations
Plaid for bank connections (SOC 2 compliant); Stripe for payment processing (PCI-compliant)
bench.coTrust center controls
47 documented controls across Access Control, Business Continuity, Change Management, Contingency Planning, Incident Response, and Information Security Program Management
trust.bench.coHosting infrastructure
AWS and Microsoft Azure; infrastructure holds ISO 27001, FedRAMP, and PCI certifications (host-level, not Bench's own)
bench.coAI systems used
Azure OpenAI (data analysis, customer experience), Stream Chat (AI chat services)
bench.co// Products & data scope
data: Full financial transaction data, bank account connections, business receipts and documents
Core product: dedicated human bookkeeper plus software. Monthly financial statements, expense overviews, real-time insights.
data: Tax documents, business income/expense data, entity information
Expert tax prep, filing, and year-round tax advisory. Available as add-on to Bookkeeping plan.
data: Banking, entity formation, bookkeeping, taxes
Bench is now part of Mainstreet (via Employer.com acquisition). Mainstreet adds banking and entity formation to Bench's bookkeeping and tax services.
// What to watch
- SOC 2 TYPE DISCREPANCY: Marketing security page (bench.co/security) claims 'SOC 2 Type 2 examination annually' but the trust center (updated September 2025) only lists a 'SOC 2 Type 1 2025 Audit'. This may indicate a regression post-acquisition (Employer.com/Mainstreet) where a new Type 1 was issued rather than a continuing Type 2. Do not list SOC 2 Type 2 until trust center confirms a Type 2 report.
- HOST-VS-VENDOR CERT AMBIGUITY: ISO 27001, FedRAMP, and infrastructure PCI/SOC references on the security page all describe hosting provider certifications (AWS/Azure data centers), not Bench's own certifications. Bench's security page marketing language could mislead readers into thinking these are Bench's certs.
- NO GDPR PROGRAM: Bench is explicitly US-only. Terms of Service include legacy EU consent language rather than modern GDPR mechanisms (SCCs, DPF). No DPA is offered or mentioned. EU-based customers or EU-resident data subjects are not supported.
- AI TRAINING POSTURE SPLIT: Security page explicitly states customer data is not used to train AI; Terms Section 8.3 confirms AI data is anonymized and not shared externally. However, the privacy policy merely lists Azure OpenAI as a service provider for 'data analysis' without echoing the no-training commitment. Minor inconsistency across documents.
- ACQUISITION CONTEXT: Bench was acquired by Employer.com and is now part of Mainstreet. Trust center was last updated September 2025. Compliance program may still be in transition post-acquisition.
// At a glance
Pricing model
Subscription (monthly); tiered by plan - Bookkeeping only vs Bookkeeping and Tax; free trial available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Bench Accounting (now part of Mainstreet / Employer.com)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.bench.co