Security Documentation
Comprehensive technical documentation of our security architecture, compliance certifications, and data protection measures. Built for enterprise scrutiny.
Encryption Standards
Data at Rest
All data stored in our databases is encrypted using AES-256-GCM encryption. Each user's data is encrypted with a unique encryption key derived from their account credentials using PBKDF2 with 100,000 iterations.
- Algorithm: AES-256-GCM (Galois/Counter Mode)
- Key derivation: PBKDF2-SHA256 with 100,000 iterations
- Salt: 32-byte cryptographically random salt per user
- IV: 12-byte random initialization vector per encryption operation
import { createCipheriv, randomBytes, pbkdf2Sync } from 'crypto';
// Generate encryption key from password
const salt = randomBytes(32);
const key = pbkdf2Sync(password, salt, 100000, 32, 'sha256');
// Encrypt data with AES-256-GCM
const iv = randomBytes(12);
const cipher = createCipheriv('aes-256-gcm', key, iv);
const encrypted = Buffer.concat([cipher.update(data, 'utf8'), cipher.final()]);
const authTag = cipher.getAuthTag();Data in Transit
All network communication uses TLS 1.3 with perfect forward secrecy. We enforce HTTPS for all connections and use HSTS to prevent downgrade attacks.
- Protocol: TLS 1.3 (minimum TLS 1.2)
- Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
- Certificate: RSA 4096-bit with SHA-256
- HSTS: max-age=31536000; includeSubDomains; preload
# TLS 1.3 Configuration
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers off;
# HSTS Configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Zero-Knowledge Architecture
Your documents are encrypted client-side before upload. We never have access to your unencrypted data. Only you hold the decryption keys.
- Client-side encryption using Web Crypto API
- Key derivation from user password + server-provided salt
- Server stores only encrypted data and cannot decrypt
- End-to-end encryption for document storage
// Client-side encryption before upload
const key = await crypto.subtle.deriveKey(
{ name: "PBKDF2", salt, iterations: 100000, hash: "SHA-256" },
passwordKey,
{ name: "AES-GCM", length: 256 },
false,
["encrypt"]
);
const encrypted = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv },
key,
documentData
);Authentication & Access Control
Multi-Factor Authentication
We support multiple 2FA methods including TOTP authenticator apps, SMS codes, and biometric authentication.
- TOTP: RFC 6238 compliant with 30-second time windows
- SMS: Twilio Verify API with rate limiting
- Biometric: WebAuthn/FIDO2 for hardware keys and platform authenticators
- Backup codes: 10 single-use recovery codes per user
import { authenticator } from 'otplib';
// Generate TOTP secret
const secret = authenticator.generateSecret();
// Verify TOTP token
const token = req.body.token;
const isValid = authenticator.verify({ token, secret });
if (isValid) {
// Grant access
await createSession(user.id);
}Session Management
Secure session handling with automatic expiration, device tracking, and anomaly detection.
- Session tokens: 256-bit cryptographically random
- Expiration: 24 hours of inactivity, 7 days maximum
- Storage: HttpOnly, Secure, SameSite=Strict cookies
- Device fingerprinting for anomaly detection
// Create secure session
const sessionToken = randomBytes(32).toString('hex');
const session = await createSession({
userId: user.id,
token: sessionToken,
expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
deviceFingerprint: req.fingerprint
});
// Set secure cookie
res.cookie('session', sessionToken, {
httpOnly: true,
secure: true,
sameSite: 'strict',
maxAge: 24 * 60 * 60 * 1000
});Password Security
Passwords are hashed using Argon2id, the winner of the Password Hashing Competition and recommended by OWASP.
- Algorithm: Argon2id
- Memory cost: 64 MB
- Time cost: 3 iterations
- Parallelism: 4 threads
- Salt: 16-byte cryptographically random per password
import argon2 from 'argon2';
// Hash password with Argon2id
const hash = await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MB
timeCost: 3,
parallelism: 4
});
// Verify password
const isValid = await argon2.verify(hash, password);Infrastructure Security
Cloud Architecture
Hosted on AWS with multi-region redundancy and automatic failover. All infrastructure follows AWS Well-Architected Framework security pillar.
- Hosting: AWS (us-east-1 primary, us-west-2 failover)
- Compute: ECS Fargate with auto-scaling
- Database: RDS PostgreSQL with encryption at rest
- Storage: S3 with server-side encryption (SSE-KMS)
- CDN: CloudFront with AWS Shield Standard DDoS protection
Network Security
Private VPC with network segmentation, security groups, and network ACLs. All services communicate over private subnets.
- VPC: Isolated virtual private cloud
- Subnets: Public (load balancers only) and private (application/database)
- Security groups: Least-privilege firewall rules
- WAF: AWS WAF with OWASP Top 10 protection
Monitoring & Logging
Comprehensive logging and monitoring with real-time alerting for security events.
- Logging: CloudWatch Logs with 90-day retention
- Metrics: CloudWatch metrics with custom dashboards
- Alerting: SNS notifications for security events
- SIEM: Integration with security information and event management
Compliance & Certifications
SOC 2 Compliance In Progress
Working towards independent audit by a third-party CPA firm for security, availability, and confidentiality controls.
- Audit period: In progress
- Trust service criteria: Security, Availability, Confidentiality
- Target completion: 2025
- Report available: Upon completion
IRS e-file Compliance
Authorized IRS e-file provider meeting all Publication 1075 requirements for federal tax information.
- IRS Publication 1075: Safeguarding Federal Tax Information
- EFIN: Electronic Filing Identification Number issued by IRS
- Annual security review by IRS
- Incident reporting within 24 hours
Data Privacy Regulations
Compliant with CCPA, GDPR, and other data privacy regulations.
- CCPA: California Consumer Privacy Act compliance
- GDPR: General Data Protection Regulation (EU)
- Data subject rights: Access, deletion, portability, correction
- Privacy policy: Updated annually, available at /privacy
Financial Regulations
Adherence to financial industry security standards.
- GLBA: Gramm-Leach-Bliley Act compliance
- PCI DSS: Level 1 Service Provider (via Stripe)
- Payment processing: Stripe handles all payment data
- No storage of credit card numbers
Incident Response
Security Incident Response Plan
Documented procedures for detecting, responding to, and recovering from security incidents.
- Detection: Automated monitoring and alerting
- Response time: < 1 hour for critical incidents
- Escalation: On-call security team 24/7
- Communication: User notification within 72 hours if required
Vulnerability Management
Regular security assessments and prompt patching of vulnerabilities.
- Vulnerability scanning: Weekly automated scans
- Penetration testing: Annual third-party pen tests
- Bug bounty: HackerOne program for responsible disclosure
- Patch management: Critical patches within 24 hours
Disaster Recovery
Comprehensive backup and recovery procedures to ensure business continuity.
- Backups: Automated daily backups with 30-day retention
- RTO: Recovery Time Objective < 4 hours
- RPO: Recovery Point Objective < 1 hour
- Testing: Quarterly disaster recovery drills
API Security
API Authentication
Secure API access using API keys with rate limiting and IP whitelisting.
- Authentication: Bearer token (API key) in Authorization header
- Key format: pk_live_... (production), pk_test_... (test)
- Key rotation: Supported, recommended every 90 days
- Scopes: Granular permissions per API key
// API Key Authentication
const response = await fetch('https://api.taxu.io/v1/tax/calculate', {
method: 'POST',
headers: {
'Authorization': 'Bearer pk_live_...',
'Content-Type': 'application/json'
},
body: JSON.stringify({
income: 75000,
filingStatus: 'single'
})
});
const result = await response.json();Rate Limiting
Protection against abuse with tiered rate limits based on plan.
- Free tier: 100 requests/minute, 10,000/month
- Pro tier: 1,000 requests/minute, 1,000,000/month
- Rate limit headers: X-RateLimit-Limit, X-RateLimit-Remaining
- Retry-After header on 429 responses
// Rate limit response headers
{
"X-RateLimit-Limit": "1000",
"X-RateLimit-Remaining": "998",
"X-RateLimit-Reset": "1640995200"
}
// Handle rate limiting
if (response.status === 429) {
const retryAfter = response.headers.get('Retry-After');
await sleep(retryAfter * 1000);
// Retry request
}Input Validation
Strict validation and sanitization of all API inputs to prevent injection attacks.
- Schema validation: JSON Schema for all endpoints
- SQL injection: Parameterized queries only
- XSS prevention: Content Security Policy and output encoding
- CSRF protection: SameSite cookies and CSRF tokens
import { z } from 'zod';
// Request validation schema
const schema = z.object({
income: z.number().positive().max(10000000),
filingStatus: z.enum(['single', 'married', 'head_of_household']),
deductions: z.object({
standard: z.boolean()
}).optional()
});
// Validate request
const validated = schema.parse(req.body);Data Retention & Deletion
Retention Policy
We retain your data only as long as necessary for tax purposes and legal requirements.
- Active returns: Retained for 7 years (IRS requirement)
- Deleted accounts: 30-day grace period, then permanent deletion
- Backups: Encrypted backups retained for 30 days
- Logs: Security logs retained for 90 days
Data Deletion
Secure deletion procedures ensure data cannot be recovered after deletion.
- Soft delete: 30-day recovery period
- Hard delete: Cryptographic erasure of encryption keys
- Backup deletion: Removed from all backups within 30 days
- Verification: Deletion confirmation provided to user
Data Portability
Export your data in machine-readable formats at any time.
- Export format: JSON, PDF, CSV
- Includes: All tax returns, documents, and account data
- Delivery: Secure download link valid for 7 days
- Encryption: Optional password-protected ZIP
Security Documents
Download our security reports, compliance certifications, and technical whitepapers
SOC 2 Compliance Status
In ProgressCurrent compliance progress (audit in progress)
Penetration Test Summary
RestrictedExecutive summary of latest pen test
Security Whitepaper
PublicTechnical overview of our security architecture
Compliance Certifications
PublicIRS certification and compliance status
Questions About Our Security?
Our security team is available 24/7 to answer your questions, provide additional documentation, and discuss enterprise security requirements.