// Trust & Security Report

    Bench Accounting (now part of Mainstreet / Employer.com) logo

    Bench Accounting (now part of Mainstreet / Employer.com)

    Online bookkeeping and tax services for US small businesses. Sub-products: Bench Bookkeeping (software + dedicated human bookkeeper), Bench Tax (preparation, filing, year-round advisory). Now bundled with Mainstreet banking and entity formation.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Bench.co SOC 2 Type 1 2025 Audit [listed in trust center as a requestable document, trust center updated September 10, 2025]

    Verify on trust.bench.co
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    Security page claims 'Bench undergoes a SOC 2 Type 2 examination of our security controls against the AICPA defined standards on an annual basis' but the trust center (updated Sep 2025) lists only a 'SOC 2 Type 1 2025 Audit'. The Type 2 claim on the marketing page is unverified and conflicts with the trust center. This may reflect a regression after the Mainstreet/Employer.com acquisition. Graded held=false until the trust center confirms a Type 2 report.

    source: bench.co
    ISO 27001
    NOT CONFIRMED

    Security page states 'The environment that hosts our services maintains multiple certifications for its data centers, including ISO 27001 compliance.' This is AWS/Azure's certification, not Bench's own. Host-vs-vendor: held=false for Bench.

    source: bench.co
    GDPR (formal compliance program)
    NOT CONFIRMED

    No GDPR compliance statement found on the security or privacy pages. Bench is explicitly a US-only service. Terms of Service include legacy EU consent language ('Customer consents to the transfer of such information outside of the European Union') rather than modern SCCs or EU-US DPF mechanisms. No DPA offered. GDPR posture is absent.

    source: bench.co
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA on the security page, privacy policy, or trust center. Bench serves US small businesses in general (not healthcare entities) and makes no HIPAA claim.

    source: bench.co
    PCI DSS
    NOT CONFIRMED

    Security page states 'Our platform has been deliberately architected to limit the handling of payment card information.' Bench uses PCI-compliant third parties (Stripe) and does not claim its own PCI DSS certification.

    source: bench.co
    FedRAMP
    NOT CONFIRMED

    Security page references FedRAMP authorization for 'The environment that hosts our services' (i.e., AWS), not Bench itself. Host-vs-vendor: held=false for Bench.

    source: bench.co
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification.

    source: trust.bench.co
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification.

    source: trust.bench.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States (hosted on AWS and Microsoft Azure)

    Security page states: 'Prompts, responses, and data accessed through Bench's AI Assistants remain within Bench's isolated boundaries and aren't used to train public or third-party AI tools or LLMs.' Terms of Service (section 8.3) add: 'Any data processed by AI/ML tools is anonymized, truncated, or otherwise limited to the extent necessary to perform the required tasks and AI/ML tools are run in secure environments without sharing Customer Data externally.' Privacy policy references Azure OpenAI and Stream Chat as service providers but does not explicitly confirm the no-training commitment - a minor inconsistency worth noting.

    // Security controls

    Encryption in transit

    TLS 1.2

    bench.co

    Encryption at rest

    AES-256

    bench.co

    Device encryption

    Full disk encryption on corporate devices

    bench.co

    Access control

    Least-privilege access policies; employees prohibited from accessing customer data unless necessary

    bench.co

    Third-party financial integrations

    Plaid for bank connections (SOC 2 compliant); Stripe for payment processing (PCI-compliant)

    bench.co

    Trust center controls

    47 documented controls across Access Control, Business Continuity, Change Management, Contingency Planning, Incident Response, and Information Security Program Management

    trust.bench.co

    Hosting infrastructure

    AWS and Microsoft Azure; infrastructure holds ISO 27001, FedRAMP, and PCI certifications (host-level, not Bench's own)

    bench.co

    AI systems used

    Azure OpenAI (data analysis, customer experience), Stream Chat (AI chat services)

    bench.co

    // Products & data scope

    Bench BookkeepingBookkeeping / Financial management

    data: Full financial transaction data, bank account connections, business receipts and documents

    Core product: dedicated human bookkeeper plus software. Monthly financial statements, expense overviews, real-time insights.

    Bench TaxTax preparation and advisory

    data: Tax documents, business income/expense data, entity information

    Expert tax prep, filing, and year-round tax advisory. Available as add-on to Bookkeeping plan.

    Mainstreet (parent platform)Business operating system

    data: Banking, entity formation, bookkeeping, taxes

    Bench is now part of Mainstreet (via Employer.com acquisition). Mainstreet adds banking and entity formation to Bench's bookkeeping and tax services.

    // What to watch

    • SOC 2 TYPE DISCREPANCY: Marketing security page (bench.co/security) claims 'SOC 2 Type 2 examination annually' but the trust center (updated September 2025) only lists a 'SOC 2 Type 1 2025 Audit'. This may indicate a regression post-acquisition (Employer.com/Mainstreet) where a new Type 1 was issued rather than a continuing Type 2. Do not list SOC 2 Type 2 until trust center confirms a Type 2 report.
    • HOST-VS-VENDOR CERT AMBIGUITY: ISO 27001, FedRAMP, and infrastructure PCI/SOC references on the security page all describe hosting provider certifications (AWS/Azure data centers), not Bench's own certifications. Bench's security page marketing language could mislead readers into thinking these are Bench's certs.
    • NO GDPR PROGRAM: Bench is explicitly US-only. Terms of Service include legacy EU consent language rather than modern GDPR mechanisms (SCCs, DPF). No DPA is offered or mentioned. EU-based customers or EU-resident data subjects are not supported.
    • AI TRAINING POSTURE SPLIT: Security page explicitly states customer data is not used to train AI; Terms Section 8.3 confirms AI data is anonymized and not shared externally. However, the privacy policy merely lists Azure OpenAI as a service provider for 'data analysis' without echoing the no-training commitment. Minor inconsistency across documents.
    • ACQUISITION CONTEXT: Bench was acquired by Employer.com and is now part of Mainstreet. Trust center was last updated September 2025. Compliance program may still be in transition post-acquisition.

    // At a glance

    Pricing model

    Subscription (monthly); tiered by plan - Bookkeeping only vs Bookkeeping and Tax; free trial available

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Bench Accounting (now part of Mainstreet / Employer.com)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.bench.co

    > Browse all vendor trust reports