// Trust & Security Report

    FreshBooks (2NDSITE Inc.) logo

    FreshBooks (2NDSITE Inc.)

    Cloud-based accounting and invoicing software for small businesses and freelancers

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Our successful completion of the SOC 2 audit is part of our ongoing commitment to data security. [Audit conducted by A-LIGN, completed February 7, 2023]

    Verify on freshbooks.com
    SOC 2 Type 2
    HELD

    No public announcement or evidence of SOC 2 Type 2 completion found as of June 2026. Type 1 was completed February 2023; Type 2 progress not publicly disclosed.

    Verify on freshbooks.com
    PCI DSS Level 1
    HELD

    FreshBooks maintains its PCI DSS Level 1 compliance and has its audit conducted by an independent third-party on an annual basis. A PCI attestation of compliance (AOC) can be requested to security@freshbooks.com.

    Verify on freshbooks.com
    GDPR (self-declared compliance)
    HELD

    As of May 25, 2018, FreshBooks has implemented processes to comply with General Data Protection Regulation (GDPR) requirements. [Support article.] The privacy policy adds: 'When we transfer Personal Information of individuals in the European Economic Area (EEA), Switzerland or the United Kingdom (UK) to the US, we make use of the Standard Contractual Clauses and the UK Addendum.'

    Verify on support.freshbooks.com
    CCPA
    HELD

    We do not sell Personal Information to third parties (pursuant to California Civil Code Sections 1798.100-1798.99, also known as the California Consumer Privacy Act of 2018).

    Verify on freshbooks.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 certification on any FreshBooks security, compliance, or press release page reviewed.

    source: freshbooks.com
    HIPAA
    NOT CONFIRMED

    HIPAA is not mentioned on any FreshBooks security, privacy, or compliance page. FreshBooks is an accounting tool, not a healthcare platform.

    source: freshbooks.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (Google Cloud Platform). EU/UK users' data may be transferred to the US under Standard Contractual Clauses and UK Addendum. No EU data residency option identified.

    FreshBooks states AI is used for fraud detection, support chatbot, and credit evaluation. Privacy policy does not explicitly prohibit training models on customer data. Terms of Service permit use of data for 'conducting simulations, analytics or modeling (including through Authorized Partners) to generate reports, trends, or recommendations,' though 'reasonable confidentiality and security measures, including de-identifying or aggregating User Content prior to external use' are required. No explicit opt-out for AI/ML model training is disclosed.

    // Security controls

    Encryption in transit

    256-bit SSL/TLS encryption for all browser-to-server traffic. Quote: 'All information traveling between your browser and FreshBooks is protected from eavesdroppers with 256-bit SSL encryption.'

    freshbooks.com

    Encryption at rest

    Industry-standard encryption protocols used for sensitive data including cardholder data. Specific algorithm not publicly disclosed.

    freshbooks.com

    Hosting infrastructure

    Google Cloud Platform (GCP). Redundant servers and geographically separate datacentres. Nightly tape backups stored offsite.

    freshbooks.com

    Vulnerability scanning

    Servers scanned regularly by Sikich LLP (managed security provider), both from the internet and inside the network.

    freshbooks.com

    Secure development

    OWASP secure development practices followed; principle of least access applied.

    freshbooks.com

    Penetration testing

    Not explicitly disclosed. Vulnerability scanning by Sikich LLP is confirmed; dedicated pen testing cadence is not publicly stated.

    freshbooks.com

    Bug bounty program

    Responsible-disclosure Vulnerability Disclosure Program via a direct report form on freshbooks.com (not a paid bug bounty, and not run on HackerOne). No paid rewards: 'FreshBooks does not reward for security issues.' Hall of Fame recognition offered to the first reporter of an issue. In-scope: my.freshbooks.com (critical), www.freshbooks.com (high), api.freshbooks.com (critical).

    freshbooks.com

    Breach notification

    Commits to notifying authorities and impacted customers 'within the legally required timelines based on the Applicable Data Protection Law.'

    freshbooks.com

    Two-factor authentication

    2FA available for all user accounts.

    freshbooks.com

    Physical security

    State-of-the-art datacentres with biometric access, constant surveillance, redundant power and generators, fire suppression, and climate control.

    freshbooks.com

    // Products & data scope

    FreshBooks Core (accounting platform)Accounting, invoicing, expense tracking, time tracking, reporting

    data: Financial records, client data, invoice data, payment information, credit/billing data, employee/contractor details. All hosted on GCP in the US.

    Targets freelancers, solopreneurs, small businesses, and accountants. Handles sensitive financial and business PII. PCI DSS Level 1 and SOC 2 Type 1 apply to this product.

    FreshBooks PayrollPayroll processing

    data: Employee and contractor payroll data including pay, tax records, and banking details. Highest sensitivity tier within the product suite. Processing is performed by Gusto and is available only to US-based businesses (W-2 employees and US-based 1099 contractors).

    FreshBooks Payroll is powered by Gusto (launched 2024). Payroll processing, automatic tax filing, and direct deposit are handled through Gusto acting as a sub-processor, so payroll data handling and its underlying compliance are governed in part by Gusto rather than solely by FreshBooks' GCP/US hosting model. Payroll data is especially sensitive; buyers evaluating payroll should review Gusto's compliance posture (Gusto maintains its own SOC and security attestations) in addition to FreshBooks'.

    FreshBooks Integrations and AppStore (100+ apps)Third-party integrations and API

    data: Data shared with third-party providers varies by integration. Sub-processor list available via Privacy Policy link.

    Third-party sub-processors are permitted to use data only for contracted services, not for their own marketing. Users connecting integrations should review each partner's own privacy posture.

    // What to watch

    • SOC 2 Type 1 only (completed Feb 2023, auditor: A-LIGN). No public evidence of SOC 2 Type 2 completion as of June 2026. Reviewers requiring operational effectiveness assurance should request the current audit report from security@freshbooks.com.
    • AI/ML training posture is ambiguous. Terms allow analytics and modeling on usage data with de-identification for external use; no explicit opt-out for AI model training is provided in the privacy policy.
    • No EU data residency. All data hosted in the US on GCP. EU/UK data transferred under SCCs. Organizations with strict data sovereignty requirements should note this.
    • Vulnerability reporting is handled through a responsible-disclosure program (direct report form, not HackerOne) rather than a paid bug bounty; FreshBooks states it does not pay cash rewards and offers Hall of Fame recognition. A no-reward VDP is common for SMB-focused vendors and is not in itself a security deficiency, though buyers who specifically value paid bounty programs should note it.
    • Penetration testing cadence is not publicly disclosed. Only vulnerability scanning by Sikich LLP is confirmed.
    • No ISO 27001 certification found. For organizations requiring ISO 27001, this is a gap.

    // At a glance

    Pricing model

    Subscription (SaaS). Multiple tiers: Lite, Plus, Premium, Select (custom). 30-day free trial available. Currently offering 90% off for 6 months promotional pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on FreshBooks (2NDSITE Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    freshbooks.com

    > Browse all vendor trust reports