Security
Figures is built for people who are careful with other people’s books. Here is exactly what we can and can’t touch.
We never write to your books. Ever.
Figures reads from QuickBooks and writes only to your Google Sheet. It is read-only by design, so your books stay untouched.
| Read-only QuickBooks | We connect to QuickBooks Online through Intuit’s official OAuth (scope com.intuit.quickbooks.accounting) and use it for read operations only. We pull the reports you choose. We never create, modify, or delete anything in your books. |
|---|---|
| Narrow Google access | Figures requests Google’s drive.file scope, the narrowest one that does the job. It can only open the Sheets it created or that you explicitly picked; it cannot see the rest of your Google Drive. |
| Nothing retained | Your report numbers pass through our servers straight into your Google Sheet and are not retained after the sync completes. We store the plumbing: your account, your sync settings, and sync run records (status, timing, row counts, error codes), never the contents of your reports. |
| Encryption | In transit, everything moves over TLS (HTTPS). At rest, your QuickBooks and Google access tokens are encrypted with AES-256-GCM before they’re stored. Access to production systems is limited to the founder. |
| Your Sheet stays yours | Your reports live in your own Google Sheet, in your own Google Drive. If you ever leave Figures, your data stays with you. It’s your Sheet. Deleting Figures never touches your Sheets. |
| Deletion in 30 days | Delete a sync and its configuration and run history are removed within 30 days. To close your account, email support@figureshq.com and we delete everything we store (account, tokens, settings, run records) within 30 days. Your Google Sheets are yours and are left untouched. |
| Revoke anytime | You’re in control and can disconnect at any time. Revocation takes effect immediately, from any of three places: Figures Settings (remove the company connection), your Intuit account’s connected apps, or your Google Account’s third-party access. |
| SOC 2 | Figures isn’t SOC 2 attested yet, and we won’t claim otherwise until it is. A SOC 2 attestation(a SOC 2 report is an attestation, never a “certification”) is on our roadmap as Figures grows. Until then, this page is the straight account of how your data is handled. |
Security questions, or want to report something? Email support@figureshq.com. A real person (the founder) reads it.
See also our Privacy Policy and Terms. Every claim on this page mirrors the Privacy Policy exactly.