It is a fair thing to worry about. Your books and fuel data are the most sensitive part of your business, and handing them to software with AI features deserves a straight answer rather than a sales pitch. This page names the specific protections to look for, what the major AI vendors actually do with your data, and the questions that separate a careful vendor from a careless one.
The honest answer
Cloud software can be safer than the server in your back office, but only when specific protections exist. Look for four markers: AES-256 encryption for stored data, TLS 1.2 or higher for data in transit, multi-factor authentication on every login, and a current SOC 2 Type II report from an independent auditor. A vendor with all four has been examined by an outside party on a recurring basis. A vendor with none is asking you to take its word. The same logic drives the cloud vs on-premise decision.
What a breach actually costs
IBM's 2025 Cost of a Data Breach Report puts the average breach at $4.44 million globally and $10.22 million in the United States. A small fuel business will not see a bill that size, but the same components scale down: forensic investigation, legal fees, customer notification, and lost trust. Those figures shift each year, so confirm the current report before repeating them. The conclusion holds either way: a breach costs far more than the time it takes to vet a vendor.
What about AI features?
Three questions matter, and each has a checkable answer. First, is your data used to train AI models? The major AI providers exclude business data from training by default. OpenAI has not trained on API or business-tier data since March 2023, and Anthropic's commercial terms keep customer data out of training unless you opt in. Ask your software vendor which provider it uses and whether that default covers your account. Second, is your data retained by the AI provider after each request, and for how long? Third, can you turn the AI features off entirely? Policies change, so get answers in writing and recheck them at renewal. FastDragon publishes its answers to all three on its security page, including the Dragonfire layer every product runs behind.
How to judge a vendor
Ask these five questions and write down the answers:
- How is my data encrypted? You want the standards named: AES-256 at rest, TLS 1.2 or higher in transit. "Bank-level security" with no specifics is a dodge.
- Who can see my data? You want role-based access for your staff and an audit log that records every view by the vendor's staff.
- Do you have a SOC 2 Type II report? You want a yes, plus a copy under NDA.
- Is my data used to train AI models? You want a written no, or a clearly labeled opt-in you never have to touch.
- How are backups handled? You want automatic offsite backups and a restore process the vendor has actually tested.
Vague answers to any of these are the warning sign. Our software selection checklist covers the rest of the evaluation.
Common questions
Should employees paste financial data into free AI chatbots?
No. Free consumer chatbot tiers can use conversations for model training unless the user changes a setting, and a pasted spreadsheet leaves no audit trail. If your team wants AI help with the books, use a business-tier product with a written no-training commitment and set a company policy on what can be pasted where.
What happens to my financial data if I cancel the software?
A reputable vendor lets you export your full records in a standard format such as CSV, then deletes your data after a stated retention window, commonly 30 to 90 days. Get both commitments in writing before you sign. If a vendor cannot explain how you get your data out, do not put it in.
Will the IRS accept books kept in cloud software?
Yes. IRS Revenue Procedure 97-22 permits keeping books and records in electronic storage systems as long as the records stay accurate, accessible, and reproducible. You must be able to produce legible reports for any past period during an audit, so confirm your software can export complete historical reports.
How quickly does a vendor have to tell me about a data breach?
Every US state has a data breach notification law, but deadlines vary and most of the legal duty falls on the business that owns the data, meaning you. The part you control is the contract: ask the vendor to commit in writing to notifying you within a fixed window, such as 72 hours, so you can meet your own obligations on time.