Audit trail
Every action — extraction, approval, correction, rejection, push, autonomy decision — is recorded immutably. You see this on:
- The activity feed for any document (who did what, when).
- The "Tally explains" footer on each document (why she decided what she decided).
- The push history page (every QuickBooks push with timestamp + result).
If you're a bookkeeper, the audit trail tracks which team member took which action, so a firm always has accountability for client work.
Bookkeeper vs client visibility
When a bookkeeper is assigned to a client, what they see depends on the access level:
- View — read-only. Documents, notes, history. Can't change anything.
- Review — review-level. Can approve / correct / reject documents, push to QuickBooks, manage day-to-day operations.
- Full — full operational access plus client-workspace settings, GL mappings, and assigning other team members.
The client is always the Portal Owner of their own workspace. The Portal Owner decides who has access. If a Portal Owner revokes a bookkeeper's access, that bookkeeper can no longer see the client's data — even if they previously did.
Common issues
- "A team member at my firm shouldn't have access to a client they're seeing." Check the assignment — Settings → Team → that team member → Assignments. Remove the assignment if it's wrong.
- "A bookkeeper had access to my business and I want to revoke it." As the Portal Owner, open Settings → Access → revoke the bookkeeper's grant. They lose access immediately.
- "My client's data showed up in another client's view." This shouldn't happen. If you ever see it, contact support@uppago.com immediately with the specifics — it would be a real bug.
- "Tally auto-approved something I wouldn't have." Reject the document within the override window. Tally absorbs the override; future similar documents stay in your review queue. You can also reduce or pause autonomy for that vendor in settings.
- "Can I get my data out of UppaGo?" Yes. Email support@uppago.com to request an export. CSV and JSON formats supported.
Connections — bank and QuickBooks
- Bank connections flow through Plaid. Tally never sees your bank credentials. Plaid issues Tally a scoped, read-only token. You can disconnect at any time from your settings.
- QuickBooks connections use Intuit's standard OAuth. You authorize Tally for a specific QuickBooks company; Tally never sees your Intuit password. You can revoke access from QuickBooks's own connection management at any time.
If you're a bookkeeper using a client's connections, the credentials live with the client. You're authorized to use them via your assignment, not because you have the keys.
Data retention
- Documents and learned patterns persist as long as your account is active.
- If you cancel, your data is preserved (downgraded workspaces stay readable; you can re-subscribe later).
- Audit logs and event data follow severity-graded retention windows: routine events trim faster than security/compliance events.
- You can request a data export at any time by contacting support.
Human approval is the rule, not the exception
Tally's autonomy is earned, not assumed:
- For every vendor, Tally starts at "Manual" — humans review every document.
- After several consistent reviews, she suggests; you confirm.
- After more, she handles routine documents and you only see exceptions.
A vendor never auto-approves until enough live human reviews have built the track record. Imports give Tally context, not authority. See How Tally learns for the details.
You can always override Tally:
- Reject any auto-approved document within a window.
- Reduce or pause autonomy for a vendor.
- Disable autonomy entirely for a client.
What firms see in their Command Center
The Bookkeeper Command Center rolls up information across the firm's clients:
- Counts and summaries (e.g., "8 of 42 clients close-ready", "Hours Saved across the firm: 47").
- KPI tiles for ROI and close readiness.
- Top blockers (e.g., "12 clients have unmapped GL accounts").
These are aggregations. Drilling into a specific number takes the firm operator into a single client's workspace, where standard workspace-isolation applies. The Command Center never shows raw documents from one client visible to a team member who isn't assigned to that client.
What's next
- For technical detail on encryption, audit, deletion, and third-party providers, see Data Security.
- How Tally learns — boundaries explained more fully
- Bookkeeper workspace — assignment and access-level mechanics
- Plans and billing — which tier covers which boundary features
- Troubleshooting
What Tally doesn't share
- Other clients' data. Two clients in the same firm never see each other's anything.
- Other firms' data. Patterns Tally learns inside one firm stay inside that firm. They never seed defaults for a different firm's clients.
- Backend secrets. Tally never reveals implementation details, environment configuration, or other operational specifics — even when you ask. If you ask "what database do you use?" the answer is "we keep your data secure" not a technical breakdown.
What you'll do
- Understand who can see what across firms, clients, and team members.
- Know how Tally's autonomy interacts with your right to override.
- See what's tracked in the audit trail.
- Find the right help article when a privacy question is really a permissions question.
Workspace boundaries — what they mean
Every business in UppaGo has its own workspace. Documents, vendors, usual vendor patterns, learned history, and the entire memory layer for one workspace are scoped to that workspace.
- Two SMBs using UppaGo independently never see each other's anything. Different accounts, different workspaces, full separation.
- A firm managing multiple clients sees each client as a separate client workspace. The firm operator is the only person with cross-client visibility — and only for clients they're explicitly assigned to. Documents, vendors, and numbers from one client are never visible inside another client.
- Firm memory (Business tier) is the one cross-client thing — but it's patterns, not raw data. "This firm consistently maps Adobe Creative Cloud → Software Subscriptions" can be a default for new clients. The actual Adobe invoices, amounts, and notes from one client are never visible inside another.