TradesmenSmall BusinessesHow It WorksGet a Free EstimatePricing
BlogHelp CentreFAQSupportOur Infrastructure
StripeXeroQuickBooksHMRC (MTD)Meta Lead AdsCloudflareWhatsApp AI
AboutPartner APIContactPortfolioPrivacy PolicyTerms of Service
A.X.E.L
Integrations

Integration Security & Data Protection

How A.X.E.L protects your data when connecting to Google Calendar, Xero, QuickBooks, and Stripe.

Your Data, Protected

When you connect A.X.E.L to accounting software like Xero or QuickBooks, you're trusting us with access to sensitive financial data. We take that seriously. This article explains exactly what we do to keep your data safe.

We don't just meet the minimum requirements — we've built security into every layer of the integration, from the initial connection to every sync that runs.

OAuth 2.0 with PKCE

Every integration uses OAuth 2.0 — the industry standard for secure authorization. You log in directly with Xero or QuickBooks; we never see or store your password.

On top of standard OAuth, we use PKCE (Proof Key for Code Exchange) with SHA-256 hashing. This is the same security method used by banking apps and financial institutions. It prevents a class of attack called "authorization code interception" — even if someone intercepted the connection process, they couldn't use it to access your account.

In plain English: Your login is between you and Xero/QuickBooks. We get a limited access token that can only do what you authorised — nothing more.

What We Can and Can't Do

A.X.E.L integrations are one-way push only. This means:

  • ✅ We can create new records in your accounting software (invoices, contacts, expenses, payments)
  • ❌ We cannot read your existing accounting data
  • ❌ We cannot modify records we didn't create
  • ❌ We cannot delete anything from your accounts
  • ❌ We cannot access your bank feeds, payroll, or tax returns

We request only the minimum permissions needed. For QuickBooks, that's com.intuit.quickbooks.accounting. For Xero, it's accounting transactions, contacts, and settings — no payroll, no reports, no admin access.

Token Security

When you connect, we receive short-lived access tokens from Xero/QuickBooks. Here's how we handle them:

  • Tokens are stored encrypted in our database — they're never exposed in URLs, logs, or client-side code
  • Access tokens expire automatically (typically within 1 hour) and are refreshed behind the scenes
  • Token refresh is race-protected — if multiple requests try to refresh at the same time, only one proceeds. This prevents token corruption
  • Refresh depth is capped — if token refresh fails repeatedly, we stop retrying instead of looping endlessly
  • State tokens expire in 10 minutes — the temporary tokens used during the connection process are single-use and short-lived

CSRF Protection

Every OAuth connection flow includes a cryptographically random state token. This prevents Cross-Site Request Forgery (CSRF) attacks — a type of attack where someone tricks your browser into connecting a malicious account.

The state token is generated server-side, stored in our database with a 10-minute expiry, and validated when you return from Xero/QuickBooks. If the token doesn't match exactly, the connection is rejected.

Owner-Only Access

Integration management is restricted to the account owner. This means:

  • Only the owner can connect or disconnect accounting integrations
  • Only the owner can change auto-sync settings
  • Team members (managers and staff) cannot access the OAuth flow, even if they have the Settings page open
  • The callback verifies the authenticated user matches the one who started the connection

This prevents a team member from accidentally (or maliciously) connecting your A.X.E.L account to their personal accounting software.

Duplicate Prevention

Nobody wants duplicate customers or invoices cluttering up their accounts. A.X.E.L prevents duplicates at multiple levels:

  • Sync log tracking — every synced entity is recorded. Before creating anything new, A.X.E.L checks if it's already been synced
  • Remote API queries — if the sync log doesn't have a match, A.X.E.L queries Xero/QuickBooks by name or invoice number to find existing records
  • Upsert logic — when a match is found, A.X.E.L updates the existing record instead of creating a duplicate
  • Name collision handling — if a customer name clashes with a vendor or employee in QuickBooks, A.X.E.L automatically disambiguates

Clean Disconnection

When you disconnect an integration, A.X.E.L doesn't just remove the tokens from our side. Here's the full process:

  1. Token revocation — we call Xero/QuickBooks to revoke your access tokens at their servers, so they can't be used even if somehow recovered
  2. Local cleanup — all stored tokens, refresh tokens, and connection metadata are deleted from our database
  3. Sync log cleanup — sync records are cleared so that if you reconnect to a different organisation, there's no stale data causing conflicts

Your data in Xero/QuickBooks is not affected — everything that was synced stays there. We just remove our access completely.

VAT & Tax Accuracy

Financial data needs to be precise. A.X.E.L sends full tax detail to your accounting software:

  • Full TaxLine arrays with tax rate references, percentages, and net taxable amounts
  • Tax-excluded calculation mode so your accounting software applies tax consistently
  • Per-line-item tax codes for accurate VAT treatment across mixed-rate invoices

Your accountant will see proper tax breakdowns, not estimated figures.

Configurable Account Mappings

A.X.E.L doesn't assume your chart of accounts looks like everyone else's. When you connect, your accounts are fetched automatically and you can map each A.X.E.L category (materials, tools, fuel, etc.) to the exact account in your QB or Xero setup.

  • No hardcoded account IDs — every account reference is configurable per client, per provider
  • Smart filtering — expense categories show expense-type accounts, the bank field shows bank-type accounts
  • Refresh without reconnecting — re-fetch your chart of accounts any time your accountant makes changes
  • Sensible defaults — if you don't configure mappings, reasonable fallbacks are used so syncing still works out of the box

Stripe Payment Security

If you accept payments through Stripe:

  • Stripe Connect is used — customers pay into your Stripe account directly. A.X.E.L never handles your customers' card details
  • Webhook signature verification ensures payment notifications are genuinely from Stripe
  • Double-submit protection prevents duplicate payments within 30 seconds
  • Payment records are created in your A.X.E.L database and synced to your accounting software automatically

Infrastructure

A.X.E.L runs on Cloudflare's global edge network:

  • Edge-first architecture — your data is processed at the nearest data centre, not a single server somewhere
  • DDoS protection built in at the network level
  • HTTPS everywhere — all connections are encrypted in transit
  • Plan-gated API routes — integration endpoints check your subscription plan before processing. No sneaky free access to paid features

What We Don't Do

Just as important as what we do:

  • We don't sell your data — ever, to anyone
  • We don't store card numbers — Stripe handles all payment processing
  • We don't share your accounting data with other users, analytics platforms, or third parties
  • We don't access your accounts beyond what's needed for syncing
  • We don't keep tokens after disconnection — they're revoked and deleted

Questions?

If you have any questions about how we handle your data, get in touch. We're happy to explain anything in more detail. Security isn't a feature we tacked on — it's built into how A.X.E.L works from the ground up.

Was this article helpful?

Need more help?

Can't find what you're looking for? We're here to help.

Contact Us
Let's talk