Trust, security & privacy
We built Terrapin so freelancers, small businesses, and CPAs can tame receipt chaos without giving up control of their data. This page explains exactly how we handle permissions, encryption, AI, and sharing.
A privacy-first way to never chase receipts again.
A privacy-first way to never chase receipts again.
A privacy-first way to never chase receipts again.
Independent Security, Verified.
What is SOC 2 Type II?
What is SOC 2 Type II?
What is SOC 2 Type II?
Why it matters for Terrapin & receipts
Why it matters for Terrapin & receipts
Why it matters for Terrapin & receipts
Receipts look small, but they often contain:
Merchant details and line items
Dates, amounts, and tax
Last four digits of cards and other sensitive spend info
For freelancers, small businesses, and CPAs, that’s exactly the kind of data that needs to be locked down. SOC 2 Type II gives you confidence that:
Terrapin’s infrastructure, access, and monitoring meet a recognized bar used across finance and SaaS.
The same controls apply whether it’s one receipt or a million – the system is audited, not each customer.
Your receipt history and audit trail sit on top of controls that have been tested, not just promised.
Receipts look small, but they often contain:
Merchant details and line items
Dates, amounts, and tax
Last four digits of cards and other sensitive spend info
For freelancers, small businesses, and CPAs, that’s exactly the kind of data that needs to be locked down. SOC 2 Type II gives you confidence that:
Terrapin’s infrastructure, access, and monitoring meet a recognized bar used across finance and SaaS.
The same controls apply whether it’s one receipt or a million – the system is audited, not each customer.
Your receipt history and audit trail sit on top of controls that have been tested, not just promised.
Receipts look small, but they often contain:
Merchant details and line items
Dates, amounts, and tax
Last four digits of cards and other sensitive spend info
For freelancers, small businesses, and CPAs, that’s exactly the kind of data that needs to be locked down. SOC 2 Type II gives you confidence that:
Terrapin’s infrastructure, access, and monitoring meet a recognized bar used across finance and SaaS.
The same controls apply whether it’s one receipt or a million – the system is audited, not each customer.
Your receipt history and audit trail sit on top of controls that have been tested, not just promised.
What’s different about Terrapin’s use of SOC 2
What’s different about Terrapin’s use of SOC 2
What’s different about Terrapin’s use of SOC 2
Lots of tools touch financial data; Terrapin is focused on receipt intelligence, so we combine:
SOC 2–aligned controls with a strict data minimization model
We only ingest receipt-like content you send, and we keep only what’s needed for records.
AI inside SOC 2 guardrails
AI features run only over your Terrapin workspace data and are covered by the same access, logging, and monitoring controls.
CPA-oriented workflows
Our secure sharing flows and audit trails are built for firms that need to prove what happened with a document, not just store it.
SOC 2 for us isn’t just a checkbox – it’s the foundation for how receipts move from inbox/camera to your CPA without leaking along the way.
Lots of tools touch financial data; Terrapin is focused on receipt intelligence, so we combine:
SOC 2–aligned controls with a strict data minimization model
We only ingest receipt-like content you send, and we keep only what’s needed for records.
AI inside SOC 2 guardrails
AI features run only over your Terrapin workspace data and are covered by the same access, logging, and monitoring controls.
CPA-oriented workflows
Our secure sharing flows and audit trails are built for firms that need to prove what happened with a document, not just store it.
SOC 2 for us isn’t just a checkbox – it’s the foundation for how receipts move from inbox/camera to your CPA without leaking along the way.
Lots of tools touch financial data; Terrapin is focused on receipt intelligence, so we combine:
SOC 2–aligned controls with a strict data minimization model
We only ingest receipt-like content you send, and we keep only what’s needed for records.
AI inside SOC 2 guardrails
AI features run only over your Terrapin workspace data and are covered by the same access, logging, and monitoring controls.
CPA-oriented workflows
Our secure sharing flows and audit trails are built for firms that need to prove what happened with a document, not just store it.
SOC 2 for us isn’t just a checkbox – it’s the foundation for how receipts move from inbox/camera to your CPA without leaking along the way.
“Same bar as the tools you already trust”
“Same bar as the tools you already trust”
“Same bar as the tools you already trust”
SOC 2 Type II is the same standard used by many of the tools people rely on every day for money and work – from banking and payroll platforms to e-signature and practice-management systems.
That means when you use Terrapin for receipts, you can hold it to the same security and privacy bar as the “old faithful” tools already in your stack, instead of trusting a one-off startup standard.
SOC 2 Type II is the same standard used by many of the tools people rely on every day for money and work – from banking and payroll platforms to e-signature and practice-management systems.
That means when you use Terrapin for receipts, you can hold it to the same security and privacy bar as the “old faithful” tools already in your stack, instead of trusting a one-off startup standard.
SOC 2 Type II is the same standard used by many of the tools people rely on every day for money and work – from banking and payroll platforms to e-signature and practice-management systems.
That means when you use Terrapin for receipts, you can hold it to the same security and privacy bar as the “old faithful” tools already in your stack, instead of trusting a one-off startup standard.
“Same bar as the tools you already trust”
“Same bar as the tools you already trust”
“Same bar as the tools you already trust”
SOC 2 Type II isn’t a “startup thing” – it’s the same security standard used by many tools your team already relies on every day, including (depending on your stack and edition):
Cloud productivity & storage – Google Workspace, Microsoft 365, Dropbox, Box
Collaboration – Slack, Zoom, Notion
Finance & payroll – Stripe, QuickBooks Online, Xero, Gusto, ADP
E-signature & documents – DocuSign, HelloSign (Dropbox Sign)
Each of these providers maintains SOC 2 reports to show how they protect customer data. Terrapin is built to reach that same bar for receipt data – so storing and organizing receipts doesn’t sit on a weaker foundation than the rest of your financial stack.
SOC 2 Type II isn’t a “startup thing” – it’s the same security standard used by many tools your team already relies on every day, including (depending on your stack and edition):
Cloud productivity & storage – Google Workspace, Microsoft 365, Dropbox, Box
Collaboration – Slack, Zoom, Notion
Finance & payroll – Stripe, QuickBooks Online, Xero, Gusto, ADP
E-signature & documents – DocuSign, HelloSign (Dropbox Sign)
Each of these providers maintains SOC 2 reports to show how they protect customer data. Terrapin is built to reach that same bar for receipt data – so storing and organizing receipts doesn’t sit on a weaker foundation than the rest of your financial stack.
SOC 2 Type II isn’t a “startup thing” – it’s the same security standard used by many tools your team already relies on every day, including (depending on your stack and edition):
Cloud productivity & storage – Google Workspace, Microsoft 365, Dropbox, Box
Collaboration – Slack, Zoom, Notion
Finance & payroll – Stripe, QuickBooks Online, Xero, Gusto, ADP
E-signature & documents – DocuSign, HelloSign (Dropbox Sign)
Each of these providers maintains SOC 2 reports to show how they protect customer data. Terrapin is built to reach that same bar for receipt data – so storing and organizing receipts doesn’t sit on a weaker foundation than the rest of your financial stack.
GDPR: Control and rights over your personal data
GDPR: Control and rights over your personal data
GDPR: Control and rights over your personal data
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU and UK framework that governs how organizations collect, use, and protect personal data. It’s built around a few core ideas: only collect what you need, be clear about why you’re using it, keep it secure, and give people meaningful control and rights over their information.
Why it matters for Terrapin & receipts
Receipts often include personal data - names, emails, partial card details, locations, and patterns of spend. If you’re in the EU/UK or working with clients who are, you need tools that respect GDPR principles instead of creating extra risk. For Terrapin, that means:
Treating receipt data as personal data that must be protected
Only processing it for clear, legitimate purposes (organizing and reporting spend, not advertising)
Providing clear routes for access, export, correction, and deletion
What GDPR looks like in Terrapin
Terrapin is built to support GDPR-aligned practices:
Lawful, limited use – We process receipt data only to provide and improve Terrapin’s receipt intelligence features, not to build advertising profiles.
Data minimization – We only ingest receipt-like content you send and keep only the fields needed for your records.
Transparency & rights – You can review connected accounts, export your data, and request deletion. Your choices are reflected in our Trust Portal and policies.
Subprocessors & location – We document key subprocessors, data locations, and safeguards in our Privacy Policy and our Trust Portal so you can factor Terrapin into your own GDPR obligations.
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU and UK framework that governs how organizations collect, use, and protect personal data. It’s built around a few core ideas: only collect what you need, be clear about why you’re using it, keep it secure, and give people meaningful control and rights over their information.
Why it matters for Terrapin & receipts
Receipts often include personal data - names, emails, partial card details, locations, and patterns of spend. If you’re in the EU/UK or working with clients who are, you need tools that respect GDPR principles instead of creating extra risk. For Terrapin, that means:
Treating receipt data as personal data that must be protected
Only processing it for clear, legitimate purposes (organizing and reporting spend, not advertising)
Providing clear routes for access, export, correction, and deletion
What GDPR looks like in Terrapin
Terrapin is built to support GDPR-aligned practices:
Lawful, limited use – We process receipt data only to provide and improve Terrapin’s receipt intelligence features, not to build advertising profiles.
Data minimization – We only ingest receipt-like content you send and keep only the fields needed for your records.
Transparency & rights – You can review connected accounts, export your data, and request deletion. Your choices are reflected in our Trust Portal and policies.
Subprocessors & location – We document key subprocessors, data locations, and safeguards in our Privacy Policy and our Trust Portal so you can factor Terrapin into your own GDPR obligations.
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU and UK framework that governs how organizations collect, use, and protect personal data. It’s built around a few core ideas: only collect what you need, be clear about why you’re using it, keep it secure, and give people meaningful control and rights over their information.
Why it matters for Terrapin & receipts
Receipts often include personal data - names, emails, partial card details, locations, and patterns of spend. If you’re in the EU/UK or working with clients who are, you need tools that respect GDPR principles instead of creating extra risk. For Terrapin, that means:
Treating receipt data as personal data that must be protected
Only processing it for clear, legitimate purposes (organizing and reporting spend, not advertising)
Providing clear routes for access, export, correction, and deletion
What GDPR looks like in Terrapin
Terrapin is built to support GDPR-aligned practices:
Lawful, limited use – We process receipt data only to provide and improve Terrapin’s receipt intelligence features, not to build advertising profiles.
Data minimization – We only ingest receipt-like content you send and keep only the fields needed for your records.
Transparency & rights – You can review connected accounts, export your data, and request deletion. Your choices are reflected in our Trust Portal and policies.
Subprocessors & location – We document key subprocessors, data locations, and safeguards in our Privacy Policy and our Trust Portal so you can factor Terrapin into your own GDPR obligations.
Cyber Essentials: Robust defenses against common threats
Cyber Essentials: Robust defenses against common threats
Cyber Essentials: Robust defenses against common threats
What is Cyber Essentials?
Cyber Essentials is a UK government–backed scheme that defines a clear baseline for defending against the most common internet-borne attacks. It focuses on five practical areas: secure configuration, boundary firewalls, access control, malware protection, and keeping devices and software up to date.
Why it matters for Terrapin & receipts
Even the smartest receipt intelligence platform is only as safe as the environment it runs in. Cyber Essentials is about making sure the day-to-day building blocks - servers, endpoints, networks, and admin access - aren’t the weak link.
For Terrapin, this matters because your receipts and expense history live on systems that must be protected from:
Basic account takeover attempts
Opportunistic malware and ransomware
Exploits against unpatched or misconfigured services
What Cyber Essentials looks like in Terrapin
Our approach is aligned with the controls defined in Cyber Essentials:
Hardened configurations – Servers and services are deployed with secure defaults, not “open by default” settings.
Access control & MFA – Admin and internal access is restricted on a least-privilege basis and protected with multi-factor authentication.
Patch & update practices – We keep operating systems and key software components updated on a regular schedule.
Malware & endpoint protection – Company devices follow a standard for protection, encryption, and safe access.
Network boundaries – Production systems are segmented and monitored to reduce the blast radius of potential attacks.
What is Cyber Essentials?
Cyber Essentials is a UK government–backed scheme that defines a clear baseline for defending against the most common internet-borne attacks. It focuses on five practical areas: secure configuration, boundary firewalls, access control, malware protection, and keeping devices and software up to date.
Why it matters for Terrapin & receipts
Even the smartest receipt intelligence platform is only as safe as the environment it runs in. Cyber Essentials is about making sure the day-to-day building blocks - servers, endpoints, networks, and admin access - aren’t the weak link.
For Terrapin, this matters because your receipts and expense history live on systems that must be protected from:
Basic account takeover attempts
Opportunistic malware and ransomware
Exploits against unpatched or misconfigured services
What Cyber Essentials looks like in Terrapin
Our approach is aligned with the controls defined in Cyber Essentials:
Hardened configurations – Servers and services are deployed with secure defaults, not “open by default” settings.
Access control & MFA – Admin and internal access is restricted on a least-privilege basis and protected with multi-factor authentication.
Patch & update practices – We keep operating systems and key software components updated on a regular schedule.
Malware & endpoint protection – Company devices follow a standard for protection, encryption, and safe access.
Network boundaries – Production systems are segmented and monitored to reduce the blast radius of potential attacks.
What is Cyber Essentials?
Cyber Essentials is a UK government–backed scheme that defines a clear baseline for defending against the most common internet-borne attacks. It focuses on five practical areas: secure configuration, boundary firewalls, access control, malware protection, and keeping devices and software up to date.
Why it matters for Terrapin & receipts
Even the smartest receipt intelligence platform is only as safe as the environment it runs in. Cyber Essentials is about making sure the day-to-day building blocks - servers, endpoints, networks, and admin access - aren’t the weak link.
For Terrapin, this matters because your receipts and expense history live on systems that must be protected from:
Basic account takeover attempts
Opportunistic malware and ransomware
Exploits against unpatched or misconfigured services
What Cyber Essentials looks like in Terrapin
Our approach is aligned with the controls defined in Cyber Essentials:
Hardened configurations – Servers and services are deployed with secure defaults, not “open by default” settings.
Access control & MFA – Admin and internal access is restricted on a least-privilege basis and protected with multi-factor authentication.
Patch & update practices – We keep operating systems and key software components updated on a regular schedule.
Malware & endpoint protection – Company devices follow a standard for protection, encryption, and safe access.
Network boundaries – Production systems are segmented and monitored to reduce the blast radius of potential attacks.
How Terrapin Protects Your Data
Permissions you control
Terrapin works only with the data you explicitly allow. You choose device-level access for camera/photos (optional location) and connect email/calendar via read-only OAuth scopes.
Permissions you control
Terrapin works only with the data you explicitly allow. You choose device-level access for camera/photos (optional location) and connect email/calendar via read-only OAuth scopes.
Permissions you control
Terrapin works only with the data you explicitly allow. You choose device-level access for camera/photos (optional location) and connect email/calendar via read-only OAuth scopes.
Choose what Terrapin sees
Terrapin only ingests emails and photos that look like receipts or invoices, plus files you manually upload. Not your entire inbox. Not your entire camera roll.
Choose what Terrapin sees
Terrapin only ingests emails and photos that look like receipts or invoices, plus files you manually upload. Not your entire inbox. Not your entire camera roll.
Choose what Terrapin sees
Terrapin only ingests emails and photos that look like receipts or invoices, plus files you manually upload. Not your entire inbox. Not your entire camera roll.
Encrypted on the way in
When you send a receipt, it travels over encrypted connections (TLS) from your device or email into Terrapin. No one can read it in transit.
Encrypted on the way in
When you send a receipt, it travels over encrypted connections (TLS) from your device or email into Terrapin. No one can read it in transit.
Encrypted on the way in
When you send a receipt, it travels over encrypted connections (TLS) from your device or email into Terrapin. No one can read it in transit.
Only what’s needed is kept
We confirm it’s a receipt, then pull only the fields needed for your records - like date, amount, vendor, and tax - and drop the rest. No extra data stored “just in case.”
Only what’s needed is kept
We confirm it’s a receipt, then pull only the fields needed for your records - like date, amount, vendor, and tax - and drop the rest. No extra data stored “just in case.”
Only what’s needed is kept
We confirm it’s a receipt, then pull only the fields needed for your records - like date, amount, vendor, and tax - and drop the rest. No extra data stored “just in case.”
Governed by SOC2
Receipt data is stored in encrypted databases with SOC 2–aligned controls: access logs, least-privilege permissions, and full audit trails for changes.
Governed by SOC2
Receipt data is stored in encrypted databases with SOC 2–aligned controls: access logs, least-privilege permissions, and full audit trails for changes.
Governed by SOC2
Receipt data is stored in encrypted databases with SOC 2–aligned controls: access logs, least-privilege permissions, and full audit trails for changes.
How AI is used
AI runs only over your Terrapin workspace to help you search, filter, and summarize receipts. It doesn’t train on your data, doesn’t see other customers’ data, and doesn’t make tax decisions for you.
How AI is used
AI runs only over your Terrapin workspace to help you search, filter, and summarize receipts. It doesn’t train on your data, doesn’t see other customers’ data, and doesn’t make tax decisions for you.
How AI is used
AI runs only over your Terrapin workspace to help you search, filter, and summarize receipts. It doesn’t train on your data, doesn’t see other customers’ data, and doesn’t make tax decisions for you.
Secure sharing with CPAs
When you’re ready to loop in your accountant, Terrapin sends your CPA a secure email link to the records you choose. Nothing is shared beyond what you authorize.
Secure sharing with CPAs
When you’re ready to loop in your accountant, Terrapin sends your CPA a secure email link to the records you choose. Nothing is shared beyond what you authorize.
Secure sharing with CPAs
When you’re ready to loop in your accountant, Terrapin sends your CPA a secure email link to the records you choose. Nothing is shared beyond what you authorize.
Your data, never sold
Terrapin’s business model is simple: we charge for the product, not for your data. We don’t sell your information to advertisers or data brokers.
Your data, never sold
Terrapin’s business model is simple: we charge for the product, not for your data. We don’t sell your information to advertisers or data brokers.
Your data, never sold
Terrapin’s business model is simple: we charge for the product, not for your data. We don’t sell your information to advertisers or data brokers.
Control, export & deletion
You can review connected accounts, revoke access, download your data, and request deletion. If you decide to leave Terrapin, your data doesn’t stay behind.
Control, export & deletion
You can review connected accounts, revoke access, download your data, and request deletion. If you decide to leave Terrapin, your data doesn’t stay behind.
Control, export & deletion
You can review connected accounts, revoke access, download your data, and request deletion. If you decide to leave Terrapin, your data doesn’t stay behind.
GEt started for free
Never Lose a Deduction Again.
Start Using Terrapin Today.
Join freelancers and small business owners using Terrapin to automatically find, classify, and report receipts—effortlessly.
Get Started
GEt started for free
Never Lose a Deduction Again.
Start Using Terrapin Today.
Join freelancers and small business owners using Terrapin to automatically find, classify, and report receipts—effortlessly.
Get Started for Free
GEt started for free
Never Lose a Deduction Again.
Start Using Terrapin Today.
Join freelancers and small business owners using Terrapin to automatically find, classify, and report receipts—effortlessly.
Get Started for Free