// Trust & data handling

How we handle
your data.

What access we need, how we get it, how we look after it, and what happens when an engagement ends. Written for buyers in regulated industries — accountants, brokers, lettings agents, legal — but applies to every client.

// LAST UPDATED · 26 MAY 2026

The short version

We ask for the minimum access needed to build the automation, take credentials through a shared password-manager vault, work in your environment (not ours), document what we built, then hand everything back and remove our access. We do not keep copies of your data after handoff.

1. What access we need

Each engagement is different, but we always work from a written list of exactly what access is required, scoped to what the automation needs and nothing more. Typical examples:

  • Accounting software (Xero, QuickBooks, Sage) — read-only API access where possible; advisor-level access where data needs to be written back.
  • CRMs and practice management (HubSpot, Karbon, TaxDome, Acturis, AccountancyManager) — a dedicated user with the minimum role required.
  • Email and document tools (Google Workspace, Microsoft 365) — service account or scoped OAuth token, not a personal mailbox.
  • Spreadsheets and shared drives — folder-scoped sharing, not whole-drive access.
  • Bespoke databases or internal tools — read replica or restricted user account where available.

Where a tool offers OAuth, app passwords, or service accounts, we use them in preference to personal credentials. Where it does not, we ask for a dedicated user named after the engagement so the activity is visible in audit logs.

2. How credentials are shared

Credentials are shared through a 1Password vault dedicated to your engagement, with named-user access on both sides. We do not accept credentials by email, chat, or text.

If you do not already use a password manager, we will send a single-use, expiring shared link and ask you to rotate the credential at the end of the engagement.

3. Where the work happens

Wherever possible, the code we write lives in your environment — your Google Apps Script project, your Make workspace, your hosting account, your repository. The automation runs against your data, in your tenant, under your control.

We do not pull client data onto local machines except where a workflow genuinely requires it for development or testing. Where we must (for example, sample exports for parsing), the data stays on encrypted disks, is restricted to the engineers actively working on the engagement, and is deleted at handoff.

4. Who can see your systems

Rapid Reports is a small team. During an engagement, access is limited to the engineers actively working on your build, named in the SOW. We do not delegate client access to outside subcontractors without your written consent.

5. Logging, monitoring, and rollback

  • Every automation we build emits structured logs you can inspect.
  • State-changing actions (sending emails, posting to Xero, updating a CRM record) are gated by either a dry-run mode during build, or an approval step in production where appropriate.
  • Each build ships with a rollback note — how to stop the automation, what to revert, who to contact.
  • For Foundation and Scale engagements, we set up alerting on failures so problems surface to you, not to a silent log file.

6. Data retention

  • Sample data shared during development — deleted at handoff.
  • Engagement records (proposals, SOWs, audit reports, build documentation) — kept for 6 years from end of engagement, as required by HMRC for tax record-keeping.
  • Credentials — removed from our vaults at handoff. We will also recommend which credentials to rotate on your side.
  • Operational data flowing through the automation — stays in your systems. We do not maintain a separate copy.

7. UK GDPR responsibilities

You are typically the data controller for personal data in your systems. When we build an automation that processes that personal data on your instructions, we are acting as your data processor under UK GDPR Article 28.

For engagements that involve material personal data processing, the SOW (or a separate Data Processing Addendum) records:

  • The categories of data subject and personal data.
  • The nature and purpose of processing.
  • The duration of processing.
  • Sub-processors used (see our privacy policy).
  • Security measures and breach-notification process.

8. For accounting and bookkeeping practices

We are conscious that accountancy work touches client personal data, tax identifiers, payroll information, and financial records — and that your professional body (ICAEW, ACCA, AAT, CIOT) imposes its own obligations on top of UK GDPR. We treat every engagement on the assumption that:

  • Access to Xero, QuickBooks, Dext, Karbon, TaxDome and equivalents is sensitive and audit-logged.
  • Anti-money-laundering records held in the practice must remain accessible and tamper-evident.
  • Sub-client data (data about your clients) is not for us to retain or repurpose.

We are happy to be added to your practice's data-processor register, sign your DPA template, or complete a supplier questionnaire.

9. For FCA-regulated firms (insurance brokers, IFAs)

Where an engagement touches a regulated workflow — renewal processing, fair-value assessments, suitability records, client money flows — we work to your firm's permissions and audit requirements. Operational resilience expectations (SYSC 15A) apply to systems we build for you; we document the third-party dependencies (Acturis, Open GI, etc.) and the failure modes.

10. Security incident response

If we become aware of a security incident affecting your data or systems, we will notify you without undue delay (and in any event within 24 hours of confirmation), share what we know, and cooperate with any investigation. You remain responsible for any regulatory notifications you need to make as the data controller.

11. What happens at handoff

At the end of every engagement we deliver:

  • A walkthrough video or session explaining how the automation works.
  • A written runbook — what it does, what to do if it fails, who to call.
  • The credentials and access tokens transferred back to your control, with the recommendation to rotate.
  • Confirmation that our access has been removed.

Where you keep us on a Retainer, the equivalent of a handoff applies if and when the retainer ends.

12. Questions

If you want more detail before booking an Audit — supplier questionnaires, your firm's DPA, or specific control questions — email lidevlin@rapidreports.org. We will respond within one business day.

13. Company details

RAPID REPORTS SOFTWARE LTD
Company number: 15991805
Andover, Hampshire, United Kingdom
Email: lidevlin@rapidreports.org

Privacy policy →·Terms of service →