Skip to content
factcurier
RO
← Blog

Why accounting data encryption matters (and why WhatsApp isn't enough)

· factcurier
securityGDPRencryptionaccounting

Think about the last 3 months of communication with your accountant. You’ve sent invoices, bank statements, employment contracts, payroll slips. Probably over WhatsApp, maybe email, maybe both. Maybe you also have a shared folder on Google Drive.

Now think about what a competitor could do with that information. Or a disgruntled employee. Or a hacker who breaches a database.

It’s not paranoia. It’s a conversation that far too few business owners in Romania are having.

What you’re actually sending your accountant

Let’s put on paper everything that flows between you and your accountant in a fiscal year. The list is longer than you think:

Financial documents:

  • Issued invoices — with your exact prices, markups, discounts
  • Received invoices — with your suppliers, their prices, payment terms
  • Bank statements — every leu going in and out of the company
  • Receipts and fiscal vouchers
  • Supplier contracts — including negotiated terms

HR documents:

  • Employment contracts — with every employee’s salary
  • Payroll slips — how much each person earns, bonuses, deductions
  • Identity documents (national ID number, address, ID card series)
  • Medical certificates
  • Children’s birth certificates (for tax deductions)

Strategic documents:

  • Trial balances — the complete picture of your business
  • Financial statements — profit, loss, assets, liabilities
  • Cash flow forecasts (if you do them)
  • Loan agreements

Put all of this together and you have a complete X-ray of your business. You know how much every employee earns, how much you pay each supplier, what your margin is on every product, how much money you have in the bank, and how much you owe.

A competitor with access to this data would know exactly where to hit you — they could undercut your suppliers’ prices, recruit your employees with offers calibrated to their actual salaries, bid below your real costs.

The WhatsApp illusion

“But WhatsApp has end-to-end encryption!” — yes, it does. And that’s a good thing. But let’s look at what that actually means in practice for communicating with your accountant.

What WhatsApp does well

Messages are encrypted in transit — nobody can read them between your phone and your accountant’s phone. Not Meta, not your phone carrier, not a hacker on the same WiFi network. That’s real and valuable.

What WhatsApp doesn’t do

1. Backups aren’t encrypted by default

When you back up to Google Drive or iCloud, messages are stored unencrypted (or encrypted with Google’s/Apple’s key, not yours). That means anyone with access to your Google account can read your entire chat history. WhatsApp has added an encrypted backup option, but it’s not enabled by default and few people use it.

2. Meta has access to metadata

Even if it can’t read your messages, Meta knows: who you talk to, how often, at what times, what files you send (size, type). For a company that makes money from data, that’s valuable.

3. Screenshots exist

Anyone in the conversation can take a screenshot and forward it. That’s not a flaw in the encryption — it’s a reality of digital communication. But on WhatsApp, you have zero control over or log of these actions.

4. Personal and professional are mixed together

On the same WhatsApp where you send employment contracts with national ID numbers, you also send photos from Saturday’s party. The same phone you leave unlocked on the restaurant table, lend to your kid to play games, connect to the hotel WiFi.

5. No audit trail

If someone deletes a message or a file, it’s gone. There’s no log, no versioning, no way to prove what was sent and when. In a tax dispute or an ANAF inspection, that can be a problem.

The “email + attachments” alternative

It’s even worse. Standard email (without PGP or S/MIME, which nobody uses) has no end-to-end encryption. Messages pass through servers in plain text. Files sit in inboxes for years, often without two-factor authentication.

And yet, many accountants receive documents by email. National ID numbers, salaries, contracts — all in plain text, in an inbox protected by the password “accountant2024”.

What end-to-end encryption means, in plain English

End-to-end encryption (E2E) means data is turned into code on your device and decoded only on the recipient’s device. Nobody else — not the company providing the service, not the server administrator, not a hacker intercepting traffic — can read the content.

Imagine sending a letter in a safe. Only you and the recipient have the key. The courier carries the safe but can’t open it. Neither can city hall, nor the police (without a warrant compelling you to hand over the key), nor the company that built the safe.

What E2E protects:

  • The content of messages and files
  • Against interception in transit
  • Against unauthorized access on servers
  • Against nosy employees at the service provider

What E2E does NOT protect (on its own):

  • Against someone with physical access to your phone/computer
  • Against screenshots or manual copies
  • Against phishing (if you give away your password, encryption can’t save you)

Encryption is an essential component, not a magic solution. But without it, everything is in plain text — and that’s unacceptable for financial data.

GDPR and accountant-client communication

This is where things get legally interesting. And surprisingly under-discussed.

What GDPR says

The General Data Protection Regulation (GDPR) applies to any entity processing personal data of EU citizens. The data you send your accountant — national ID numbers, addresses, salaries — is personal data. Some of it (medical certificates) is even sensitive data.

GDPR requires:

  • Data minimization — collect only what you need
  • Security of processing — protect data with appropriate technical measures
  • Storage limitation — don’t keep data longer than necessary
  • Accountability — you must be able to demonstrate compliance

What happens in practice

Accounting firms are joint controllers or data processors under GDPR. In theory, there should be a data processing agreement (DPA) between you and your accountant. In practice, almost nobody has one.

When you send an employment contract over WhatsApp, you’re probably violating:

  • Art. 32 GDPR — the obligation to ensure security of processing through appropriate technical measures
  • Art. 5(1)(f) — the principle of integrity and confidentiality

Nobody has been fined in Romania for this. Yet. But GDPR wasn’t written for “when it happens” — it was written for “before it happens”.

The fines are real

The National Supervisory Authority for Personal Data Processing (ANSPDCP) has issued fines worth millions of euros in Romania. To large companies, for now. But the regulation applies equally to a small LLC with 3 employees sending payroll slips over unencrypted email.

The theoretical maximum: 20 million euros or 4% of global annual turnover — whichever is higher.

Concrete risk scenarios

Let’s step out of theory. Here are situations that actually happen — regardless of which platform you use:

Scenario 1: The employee who leaves angry

You have an employee with access to the WhatsApp group where you discuss things with the accountant. You fire them. They have the entire message history — invoices, salaries, contracts. Out of frustration, they post screenshots of colleagues’ salaries on an anonymous forum. Result: internal demotivation, potential resignations, zero legal consequences for the former employee (hard to prove who published it).

This isn’t just a WhatsApp problem — any app on an unlocked phone is vulnerable to screenshots. The difference lies in access control: on WhatsApp you can’t retroactively revoke access to the conversation, but don’t kid yourself that any platform can prevent a screenshot that’s already been taken.

Scenario 2: Phishing the accountant

The accountant receives an email “from ANAF” asking them to log in. They enter their credentials. The attacker now has access to the accountant’s email, which holds documents from 50 companies. This already happens — it’s not hypothetical.

This is where end-to-end encryption genuinely helps: even if an attacker gains access to the email server, data on an E2E platform remains encrypted on the server. But if the phishing targets the platform directly (any platform), encryption can’t save you — the attacker has your credentials.

Scenario 3: The unexpected ANAF audit

ANAF requests your communication history with the accountant. On WhatsApp, old messages have been deleted, files have expired. You can’t prove which documents you sent and when. On email, everything is there, but so are things that probably shouldn’t be.

Here, an audit trail (a complete log of transmissions) makes the real difference — not encryption per se, but a clear record of what was sent, when, and who confirmed receipt.

What an accounting platform should do

Looking at the risks above, a professional accounting communication platform should provide:

  1. Real end-to-end encryption — not just in transit, but also at rest on servers
  2. Clear separation of personal and professional — a dedicated channel, not WhatsApp
  3. Controlled access — only authorized people see the documents
  4. Audit trail — a complete log of who sent what and when
  5. Controlled retention — documents are kept as long as needed, not forever
  6. No platform access to data — the service provider cannot read your documents

These aren’t exotic requirements. They’re baseline requirements for any system handling sensitive financial data. Banks meet them. Audit firms meet them. It’s only in small-business accounting that everyone pretends WhatsApp is good enough.

What factcurier does differently (and what it doesn’t)

Let’s be honest about what our encryption solves and what it doesn’t.

factcurier distributes AI tools to accountants and their clients, and uses the Matrix protocol — an open, publicly audited protocol based on the same cryptography as Signal (Olm/Megolm). Documents are encrypted on your device and decrypted only by your accountant. Our servers cannot read the content.

What this actually solves:

  • Nobody at factcurier can read your data — not us, not a curious employee, not a hacker who breaches the server
  • By communicating on a channel separate from WhatsApp, your accounting data no longer sits next to barbecue photos and chats with friends
  • You get a complete audit trail — what was sent, when, and by whom

What it does NOT solve:

  • If someone has your unlocked phone, they can read data in factcurier just as easily as in WhatsApp
  • Screenshots and manual copies work on any platform
  • Phishing can compromise you on any service — if you give away your password, encryption is irrelevant
  • An employee with legitimate access can see data as long as they have access — revoking it doesn’t erase what they’ve already seen

The bottom line: accounting data deserves at least the same level of protection you get with online banking. factcurier provides that. But no platform is a magic shield against every risk.

What you can do right now — 5 practical steps

Even if you don’t use factcurier or another secure platform, you can immediately improve the security of your communication with your accountant:

1. Enable encrypted backups on WhatsApp

Settings → Chats → Chat Backup → End-to-end Encrypted Backup → Turn On. It takes 30 seconds and protects your cloud history.

2. Use a separate channel for accounting

Don’t send financial documents on the same personal WhatsApp. Create a dedicated group or use your company email (not your personal one).

3. Enable two-factor authentication

On email, on WhatsApp, on SPV, on everything. It’s the simplest and most effective security measure. Don’t skip it.

4. Ask your accountant for a data processing agreement (DPA)

If your accountant processes your employees’ personal data (and they do), GDPR requires a written agreement. It doesn’t need to be complicated — 2-3 pages covering: what data, for how long, how they protect it, what happens when the contract ends.

5. Do an inventory of the data you’ve shared

Look at your conversation with your accountant from the last 3 months. Note what types of documents you’ve sent. Think about who else has access to that conversation. If the answer scares you, it’s time to change something.

Conclusion

Encrypting accounting data isn’t about paranoia or excessive compliance. It’s about the fact that your business’s financial data is the most valuable information you have — and you’re sending it over channels that weren’t built for that.

WhatsApp is excellent for quick coordination and personal conversations. It’s not a professional tool for transferring sensitive financial data. Email is even less suited for it.

The solution isn’t to stop communicating digitally with your accountant — it’s to use channels built with security as the priority, not as a bonus. Whether it’s factcurier or something else, make sure your financial data is protected at least as well as the money in your bank account.

Because, in the end, information about money is often worth more than the money itself.