// Trust & Security Report
FreshBooks (2NDSITE Inc.)
Cloud-based accounting and invoicing software for small businesses and freelancers
Certifications held
5
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on freshbooks.com“Our successful completion of the SOC 2 audit is part of our ongoing commitment to data security. [Audit conducted by A-LIGN, completed February 7, 2023]”
Verify on freshbooks.com“No public announcement or evidence of SOC 2 Type 2 completion found as of June 2026. Type 1 was completed February 2023; Type 2 progress not publicly disclosed.”
Verify on freshbooks.com“FreshBooks maintains its PCI DSS Level 1 compliance and has its audit conducted by an independent third-party on an annual basis. A PCI attestation of compliance (AOC) can be requested to security@freshbooks.com.”
Verify on support.freshbooks.com“As of May 25, 2018, FreshBooks has implemented processes to comply with General Data Protection Regulation (GDPR) requirements. [Support article.] The privacy policy adds: 'When we transfer Personal Information of individuals in the European Economic Area (EEA), Switzerland or the United Kingdom (UK) to the US, we make use of the Standard Contractual Clauses and the UK Addendum.'”
Verify on freshbooks.com“We do not sell Personal Information to third parties (pursuant to California Civil Code Sections 1798.100-1798.99, also known as the California Consumer Privacy Act of 2018).”
> Show 2 unconfirmed / not-held certifications
source: freshbooks.comNo mention of ISO 27001 certification on any FreshBooks security, compliance, or press release page reviewed.
source: freshbooks.comHIPAA is not mentioned on any FreshBooks security, privacy, or compliance page. FreshBooks is an accounting tool, not a healthcare platform.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (Google Cloud Platform). EU/UK users' data may be transferred to the US under Standard Contractual Clauses and UK Addendum. No EU data residency option identified.
FreshBooks states AI is used for fraud detection, support chatbot, and credit evaluation. Privacy policy does not explicitly prohibit training models on customer data. Terms of Service permit use of data for 'conducting simulations, analytics or modeling (including through Authorized Partners) to generate reports, trends, or recommendations,' though 'reasonable confidentiality and security measures, including de-identifying or aggregating User Content prior to external use' are required. No explicit opt-out for AI/ML model training is disclosed.
// Security controls
Encryption in transit
256-bit SSL/TLS encryption for all browser-to-server traffic. Quote: 'All information traveling between your browser and FreshBooks is protected from eavesdroppers with 256-bit SSL encryption.'
freshbooks.comEncryption at rest
Industry-standard encryption protocols used for sensitive data including cardholder data. Specific algorithm not publicly disclosed.
freshbooks.comHosting infrastructure
Google Cloud Platform (GCP). Redundant servers and geographically separate datacentres. Nightly tape backups stored offsite.
freshbooks.comVulnerability scanning
Servers scanned regularly by Sikich LLP (managed security provider), both from the internet and inside the network.
freshbooks.comSecure development
OWASP secure development practices followed; principle of least access applied.
freshbooks.comPenetration testing
Not explicitly disclosed. Vulnerability scanning by Sikich LLP is confirmed; dedicated pen testing cadence is not publicly stated.
freshbooks.comBug bounty program
Responsible-disclosure Vulnerability Disclosure Program via a direct report form on freshbooks.com (not a paid bug bounty, and not run on HackerOne). No paid rewards: 'FreshBooks does not reward for security issues.' Hall of Fame recognition offered to the first reporter of an issue. In-scope: my.freshbooks.com (critical), www.freshbooks.com (high), api.freshbooks.com (critical).
freshbooks.comBreach notification
Commits to notifying authorities and impacted customers 'within the legally required timelines based on the Applicable Data Protection Law.'
freshbooks.comPhysical security
State-of-the-art datacentres with biometric access, constant surveillance, redundant power and generators, fire suppression, and climate control.
freshbooks.com// Products & data scope
data: Financial records, client data, invoice data, payment information, credit/billing data, employee/contractor details. All hosted on GCP in the US.
Targets freelancers, solopreneurs, small businesses, and accountants. Handles sensitive financial and business PII. PCI DSS Level 1 and SOC 2 Type 1 apply to this product.
data: Employee and contractor payroll data including pay, tax records, and banking details. Highest sensitivity tier within the product suite. Processing is performed by Gusto and is available only to US-based businesses (W-2 employees and US-based 1099 contractors).
FreshBooks Payroll is powered by Gusto (launched 2024). Payroll processing, automatic tax filing, and direct deposit are handled through Gusto acting as a sub-processor, so payroll data handling and its underlying compliance are governed in part by Gusto rather than solely by FreshBooks' GCP/US hosting model. Payroll data is especially sensitive; buyers evaluating payroll should review Gusto's compliance posture (Gusto maintains its own SOC and security attestations) in addition to FreshBooks'.
data: Data shared with third-party providers varies by integration. Sub-processor list available via Privacy Policy link.
Third-party sub-processors are permitted to use data only for contracted services, not for their own marketing. Users connecting integrations should review each partner's own privacy posture.
// What to watch
- SOC 2 Type 1 only (completed Feb 2023, auditor: A-LIGN). No public evidence of SOC 2 Type 2 completion as of June 2026. Reviewers requiring operational effectiveness assurance should request the current audit report from security@freshbooks.com.
- AI/ML training posture is ambiguous. Terms allow analytics and modeling on usage data with de-identification for external use; no explicit opt-out for AI model training is provided in the privacy policy.
- No EU data residency. All data hosted in the US on GCP. EU/UK data transferred under SCCs. Organizations with strict data sovereignty requirements should note this.
- Vulnerability reporting is handled through a responsible-disclosure program (direct report form, not HackerOne) rather than a paid bug bounty; FreshBooks states it does not pay cash rewards and offers Hall of Fame recognition. A no-reward VDP is common for SMB-focused vendors and is not in itself a security deficiency, though buyers who specifically value paid bounty programs should note it.
- Penetration testing cadence is not publicly disclosed. Only vulnerability scanning by Sikich LLP is confirmed.
- No ISO 27001 certification found. For organizations requiring ISO 27001, this is a gap.
// At a glance
Pricing model
Subscription (SaaS). Multiple tiers: Lite, Plus, Premium, Select (custom). 30-day free trial available. Currently offering 90% off for 6 months promotional pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on FreshBooks (2NDSITE Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
freshbooks.com