Security & Compliance

For UK accountancy & advisory firms

Security & compliance built for accountancy firms

PracticeGrid is the umbrella platform for your workflows and automation. It is designed to help UK accountancy and advisory firms protect client data, demonstrate good governance and stay aligned with UK GDPR and the Data Protection Act.

This page explains how we think about security, how PracticeGrid is hosted, how data is protected in transit and at rest, and how we support your firm's own compliance obligations. It is written to be understandable for partners and practice managers, not just IT teams.

Data protection

Encryption in transit & at rest

All browser and API traffic uses HTTPS/TLS, and core data stores are encrypted at rest. Passwords and sensitive secrets are never stored in plain text.

Hosting & location

India-based cloud infrastructure

PracticeGrid is hosted on reputable cloud infrastructure in India-based data centres. Core application data is kept within these controlled regions. Some supporting services and integrations may process data in other jurisdictions, as described in our Sub-processor list and legal documentation.

Access & controls

Role-based access control

Within your firm, access is based on least privilege. Roles and permissions are designed to support preparer, reviewer and partner responsibilities and segregated sign-off.

Resilience & trust

Backups, monitoring & status

Automated backups and uptime monitoring help you understand service health. An external status page is planned as the service matures.

Hosting, data location & architecture

Secure infrastructure designed for compliance

PracticeGrid is delivered as a cloud service ("SaaS"), so your team can access workflows from anywhere with an internet connection, while client data remains inside controlled environments.

India-based data centres.

Core PracticeGrid infrastructure (application, databases and primary file storage) is hosted in India-based regions, providing a clear and predictable home for client data. Supporting services and sub-processors are documented in our legal and sub-processor information.

Separation of environments.

Separation between application layer, databases, file storage and monitoring systems helps reduce the impact of any single issue.

Restricted production access.

Access to production systems is limited to authorised team members and governed by internal security policies and procedures.

Encryption, identity & access control

Protecting data and controlling access

Strong encryption and sensible access control are the foundation for protecting client information inside PracticeGrid.

Encryption

We apply modern encryption for data in transit and at rest:

HTTPS/TLS enforced for all browser and API connections.
Core databases encrypted at rest by the underlying platform.
No plain-text password storage; industry-standard hashing is used.

Access & roles

Within your organisation, you stay in control of who can see and do what:

Role-based access designed to align with preparer, reviewer, manager and partner responsibilities.
Granular permissions to control who can edit, approve, send and close workflows.
Support for segregation of duties across sensitive tasks and sign-offs as your use of the platform grows.

Backups, monitoring & incident response

Preparedness and transparency

No system can guarantee zero incidents. Our focus is on sensible preparedness: detecting problems quickly, restoring service, and keeping customers informed in a clear and timely way.

Backups & recovery

Automated backups of key application data.
Backups stored in secure cloud infrastructure with restricted access.
Internal runbooks to restore service as quickly as reasonably possible.

Recovery time and recovery point objectives (RTO/RPO) are being defined as part of our internal disaster recovery planning and are reviewed as the service evolves.

Monitoring & incidents

External monitoring to alert us to downtime or degraded performance.
Operational processes to investigate, triage and resolve incidents.
We aim to align incident communication with regulatory expectations, including 72-hour breach notification where applicable.

As the platform evolves, we may introduce additional transparency measures, such as more granular incident and availability reporting.

UK GDPR & Data Protection Act support

Structured compliance for your firm

PracticeGrid does not replace your legal advice, but it provides structure, controls and records that support your responsibilities as a controller or processor of client data.

Organised client records.

Processing is tied to specific clients, services and workflows, helping you show why you hold data and how it is used.

Accountability & access.

You can see who is assigned to each client or job and what actions they have taken over time.

Retention in practice.

Work can be identified, archived or removed in line with your own retention and deletion policies.

Legal documentation.

A dedicated Legal section will, over time, host the PracticeGrid Master Services Agreement (MSA), Data Processing Agreement (including UK IDTA/Addendum where required), Privacy Notice, Cookie Policy, SLA, Acceptable Use Policy and Sub-processor list.

Documents, e-signatures & email identity

Secure document handling and communication

PracticeGrid works alongside your existing document storage and email infrastructure so that you stay in control of key client communications.

Your storage, your documents.

Integrations with services such as Microsoft OneDrive are designed so that documents can remain within your own tenancy while workflows and approvals sit in PracticeGrid.

Controlled e-signature flows.

Engagement letters and key documents can be sent, reviewed and signed through structured workflows, with records of who prepared, reviewed and approved each file.

Temporary file hygiene.

Files used during conversion or signing are processed and then cleaned up as part of the workflow, reducing unnecessary copies.

Verified email identity.

We plan to use standard email authentication measures, such as SPF, DKIM and DMARC, for @practicegrid.co.uk mailboxes (support@, security@, privacy@ etc.) to help customers and partners trust messages and reduce spoofing.

Responsible disclosure & security contact

Working together to strengthen security

If you believe you have found a security issue that affects PracticeGrid or a related service, we encourage responsible disclosure.

Email security@practicegrid.co.uk with a clear description of the issue.
Include steps to reproduce, the area of the application you tested, and any potential impact you can see.
Do not publish details publicly until we have had a chance to investigate and address the problem.

We will acknowledge valid reports, assess the impact and, where appropriate, update you when a fix has been rolled out. Findings are used to strengthen the platform for all customers.

Security highlights

Bank-style protection

Encryption in transit and at rest for core data, with no plain-text password storage.

Built for UK practices

Cloud hosting aligned with UK data protection expectations, with structured workflows and controls designed for UK accountancy firms.

Audit & oversight

Clear assignment, approvals and activity history to support file reviews and monitoring visits.

Putting security into everyday practice

Security in PracticeGrid is not just about infrastructure. It’s about how your team signs in, shares work and signs off client files day to day.

View legal & privacy docs

Have a question?

Email support@practicegrid.co.uk and we’ll route it to the right person.