Security Documentation
Comprehensive technical documentation of our security architecture, compliance certifications, and data protection measures.
Encryption Standards
Data at Rest
All data stored in our databases is encrypted using AES-256-GCM encryption. Each user's data is encrypted with a unique encryption key derived from their account credentials using PBKDF2 with 100,000 iterations.
- Algorithm: AES-256-GCM (Galois/Counter Mode)
- Key derivation: PBKDF2-SHA256 with 100,000 iterations
- Salt: 32-byte cryptographically random salt per user
- IV: 12-byte random initialization vector per encryption operation
Data in Transit
All network communication uses TLS 1.3 with perfect forward secrecy. We enforce HTTPS for all connections and use HSTS to prevent downgrade attacks.
- Protocol: TLS 1.3 (minimum TLS 1.2)
- Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
- Certificate: RSA 4096-bit with SHA-256
- HSTS: max-age=31536000; includeSubDomains; preload
Zero-Knowledge Architecture
Your documents are encrypted client-side before upload. We never have access to your unencrypted data. Only you hold the decryption keys.
- Client-side encryption using Web Crypto API
- Key derivation from user password + server-provided salt
- Server stores only encrypted data and cannot decrypt
- End-to-end encryption for document storage
Authentication & Access Control
Multi-Factor Authentication
We support multiple 2FA methods including TOTP authenticator apps, SMS codes, and biometric authentication.
- TOTP: RFC 6238 compliant with 30-second time windows
- SMS: Twilio Verify API with rate limiting
- Biometric: WebAuthn/FIDO2 for hardware keys and platform authenticators
- Backup codes: 10 single-use recovery codes per user
Session Management
Secure session handling with automatic expiration, device tracking, and anomaly detection.
- Session tokens: 256-bit cryptographically random
- Expiration: 24 hours of inactivity, 7 days maximum
- Storage: HttpOnly, Secure, SameSite=Strict cookies
- Device fingerprinting for anomaly detection
Password Security
Passwords are hashed using Argon2id, the winner of the Password Hashing Competition and recommended by OWASP.
- Algorithm: Argon2id
- Memory cost: 64 MB
- Time cost: 3 iterations
- Parallelism: 4 threads
- Salt: 16-byte cryptographically random per password
Infrastructure Security
Cloud Architecture
Hosted on AWS with multi-region redundancy and automatic failover. All infrastructure follows AWS Well-Architected Framework security pillar.
- Hosting: AWS (us-east-1 primary, us-west-2 failover)
- Compute: ECS Fargate with auto-scaling
- Database: RDS PostgreSQL with encryption at rest
- Storage: S3 with server-side encryption (SSE-KMS)
- CDN: CloudFront with AWS Shield Standard DDoS protection
Network Security
Private VPC with network segmentation, security groups, and network ACLs. All services communicate over private subnets.
- VPC: Isolated virtual private cloud
- Subnets: Public (load balancers only) and private (application/database)
- Security groups: Least-privilege firewall rules
- WAF: AWS WAF with OWASP Top 10 protection
Monitoring & Logging
Comprehensive logging and monitoring with real-time alerting for security events.
- Logging: CloudWatch Logs with 90-day retention
- Metrics: CloudWatch metrics with custom dashboards
- Alerting: SNS notifications for security events
- SIEM: Integration with security information and event management
Compliance & Certifications
SOC 2 Compliance In Progress
Working towards independent audit by a third-party CPA firm for security, availability, and confidentiality controls.
- Audit period: In progress
- Trust service criteria: Security, Availability, Confidentiality
- Target completion: 2025
- Report available: Upon completion
IRS e-file Compliance
Authorized IRS e-file provider meeting all Publication 1075 requirements for federal tax information.
- IRS Publication 1075: Safeguarding Federal Tax Information
- EFIN: Electronic Filing Identification Number issued by IRS
- Annual security review by IRS
- Incident reporting within 24 hours
Data Privacy Regulations
Compliant with CCPA, GDPR, and other data privacy regulations.
- CCPA: California Consumer Privacy Act compliance
- GDPR: General Data Protection Regulation (EU)
- Data subject rights: Access, deletion, portability, correction
- Privacy policy: Updated annually, available at /privacy
Financial Regulations
Adherence to financial industry security standards.
- GLBA: Gramm-Leach-Bliley Act compliance
- PCI DSS: Level 1 Service Provider (via Stripe)
- Payment processing: Stripe handles all payment data
- No storage of credit card numbers
Incident Response
Security Incident Response Plan
Documented procedures for detecting, responding to, and recovering from security incidents.
- Detection: Automated monitoring and alerting
- Response time: < 1 hour for critical incidents
- Escalation: On-call security team 24/7
- Communication: User notification within 72 hours if required
Vulnerability Management
Regular security assessments and prompt patching of vulnerabilities.
- Vulnerability scanning: Weekly automated scans
- Penetration testing: Annual third-party pen tests
- Bug bounty: HackerOne program for responsible disclosure
- Patch management: Critical patches within 24 hours
Disaster Recovery
Comprehensive backup and recovery procedures to ensure business continuity.
- Backups: Automated daily backups with 30-day retention
- RTO: Recovery Time Objective < 4 hours
- RPO: Recovery Point Objective < 1 hour
- Testing: Quarterly disaster recovery drills
API Security
API Authentication
Secure API access using API keys with rate limiting and IP whitelisting.
- Authentication: Bearer token (API key) in Authorization header
- Key format: pk_live_... (production), pk_test_... (test)
- Key rotation: Supported, recommended every 90 days
- Scopes: Granular permissions per API key
Rate Limiting
Protection against abuse with tiered rate limits based on plan.
- Free tier: 100 requests/minute, 10,000/month
- Pro tier: 1,000 requests/minute, 1,000,000/month
- Rate limit headers: X-RateLimit-Limit, X-RateLimit-Remaining
- Retry-After header on 429 responses
Input Validation
Strict validation and sanitization of all API inputs to prevent injection attacks.
- Schema validation: JSON Schema for all endpoints
- SQL injection: Parameterized queries only
- XSS prevention: Content Security Policy and output encoding
- CSRF protection: SameSite cookies and CSRF tokens
Data Retention & Deletion
Retention Policy
We retain your data only as long as necessary for tax purposes and legal requirements.
- Active returns: Retained for 7 years (IRS requirement)
- Deleted accounts: 30-day grace period, then permanent deletion
- Backups: Encrypted backups retained for 30 days
- Logs: Security logs retained for 90 days
Data Deletion
Secure deletion procedures ensure data cannot be recovered after deletion.
- Soft delete: 30-day recovery period
- Hard delete: Cryptographic erasure of encryption keys
- Backup deletion: Removed from all backups within 30 days
- Verification: Deletion confirmation provided to user
Data Portability
Export your data in machine-readable formats at any time.
- Export format: JSON, PDF, CSV
- Includes: All tax returns, documents, and account data
- Delivery: Secure download link valid for 7 days
- Encryption: Optional password-protected ZIP
Security Documents
Download our security reports and certifications
SOC 2 Compliance Status
Current compliance progress (audit in progress)
Penetration Test Summary
Executive summary of latest pen test
Security Whitepaper
Technical overview of our security architecture
Compliance Certifications
IRS certification and compliance status
Questions About Our Security?
Our security team is available to answer your questions and provide additional documentation.