The bar is set high at Qwoater – and rightly so

Rethinking document management

The observation that led to Qwoater came directly from practice. “In accountancy, I saw that handling client documents was far from optimal and certainly not always secure. Yet that is exactly where the highest risk and responsibility lie,” Ernesto explains. With his background in accountancy and consultancy, he not only saw the shortcomings but also how they could be improved.

The result was Qwoater: a cloud-based document hub where client files are centrally stored, uniformly structured, and seamlessly connected with other systems such as payroll or annual reporting software. No folder structures. No fragmentation. No endless searching.

“With us, nobody needs to wonder where something is stored. Everything is uniform, accessible, and integrated. That’s the difference from traditional document management systems or SharePoint.”

The model caught on. Today, Qwoater is the market leader in payroll processing and is rapidly expanding across the wider accountancy landscape. “We want firms to adopt our platform organization-wide. The potential is enormous, and that’s what we are building towards.”

Security from day one

Qwoater sometimes calls itself the ‘Netflix for documents’. And with reason. The user experience is intuitive, streamlined, and designed to make document management effortless. But behind this simplicity lies an organization deeply aware that in this sector, trust is not a nice-to-have; it’s a prerequisite.

That awareness runs deep. Client files include financial statements, HR data, and other highly sensitive documents. That’s why, as early as 2016, Qwoater pursued a SOC 2 Type II certification.

“Every choice we make must support security. It’s embedded in our infrastructure, in our behavior, in our communication – and in the fact that we conduct annual pentests. Sometimes even twice a year,” Ernesto explains.

A Code-Guided Pentest

In 2025, Qwoater made a deliberate choice to partner with YieldDD. The request: conduct a pentest that goes beyond the surface, diving deep into architecture and source code. YieldDD’s code-guided approach offered exactly that.

“You have to recognize the value of a pentest that doesn’t just look from the outside in, but instead traces paths from the inside out. That’s what YieldDD does, and that is of immense value.”

This approach delivered sharp, actionable insights:

Qwoater immediately incorporated all findings, mainly low-risk issues, into the recovery process. This is in line with their high security standards. A retest confirmed that every issue was fully resolved.

Security as a culture

What truly sets Qwoater apart is not only their platform, but their mindset. While security is often still seen as ‘something for IT’, YieldDD encountered a leadership team that contributed ideas, asked critical questions, and took full ownership.

That culture makes the difference. Qwoater is willing to look in the mirror, showing that mature software development means staying open to critique, acting quickly on improvements, and building trust at every step.

This is not a one-off exercise, but a structural approach. “Clients should know that we are tested, and that we use the results to become even better.”

Looking ahead

Qwoater doesn’t stand still. New product developments – such as making their API publicly available – are on the horizon. With those come new opportunities, but also new risks. “That’s why we say: with every major release, we review security again. And now we know exactly who to call.”

The collaboration illustrates that technical security is never solely an IT matter. It’s about trust. About continuous improvement. And about the courage to challenge your assumptions. That’s what Qwoater does. And that not only makes them safer, it makes them stronger.