SOC 2-aligned · IRS Pub 4557 · GLBA Safeguards
Security built for CPA-firm compliance
CPAs handle the most sensitive financial data in the world — and face vendor due diligence that doesn't accept marketing claims. Here's exactly how TaxScout protects your firm and your clients, mapped to the standards your reviewers will ask about.
Data protection
Every client document and every extracted tax fact is encrypted, isolated, and recoverable. We treat client data the way you would.
Encryption at rest
All client documents, extracted tax data, and database records are encrypted at rest with AES-256 using AWS KMS-managed keys. Keys rotate automatically on AWS-managed schedules; no plaintext key material is ever stored in application code or environment variables.
Encryption in transit
Every connection — between user browsers, our edge, the application servers, and the database — uses TLS 1.3. HSTS is enforced site-wide with a 1-year max-age. We never log encryption keys, session tokens, or full document contents.
Tenant isolation
Every CPA firm gets a logically isolated workspace. Every business table is keyed by organization, with PostgreSQL row-level security policies enforcing tenant isolation on direct access and an application-layer org guard on background jobs. Defense-in-depth, not a single point of trust.
Backups and recovery
Managed PostgreSQL with point-in-time recovery and automated encrypted backups; S3 document storage is versioned. Off-site backups of background-job state are retained on a 365-day schedule. Formal recovery-time objectives and cross-region replication are being documented as part of our resilience roadmap.
Access controls
Who can see what — enforced at the application, database, and audit layers, not just the UI.
Role-based access (RBAC)
Firm owners, partners, staff, and reviewers get tightly scoped permissions. Roles map to specific actions — view client docs, edit returns, sign filings, manage billing — never blanket access. Permission changes are logged with actor, timestamp, and reason.
Multi-factor authentication
Multi-factor authentication is available to every user and can be enforced organization-wide and for privileged owner/admin roles. Supports TOTP (Google Authenticator, Authy, 1Password) and WebAuthn / passkeys. SMS-only MFA is not offered for compliance-sensitive roles.
Client portal isolation
Client portal users see only their own engagement and documents — never the firm's other clients. Portal sessions are short-lived, sandboxed from the CPA dashboard, and re-authenticated on every sensitive action (e-signature, document upload, payment).
Audit trail
Every action that touches a client return, document, or financial figure is logged: actor, timestamp, IP, action, before/after diff where applicable. Audit logs are append-only, retained 7 years (the IRS retention floor), and exportable for compliance reviews.
Compliance frameworks
The standards your vendor review checklist asks about. We map controls directly to each — no "trust us" gaps.
SOC 2 (in progress)
Our controls are designed and mapped to the AICPA Trust Services Criteria (Security, Availability, Confidentiality). An independent SOC 2 Type II examination is on our roadmap; we will share the report under NDA once it is available.
IRS Pub 4557
Our security program is mapped to the IRS Publication 4557 Safeguarding Taxpayer Data framework — covering written security plan, access controls, encryption, retention, and breach response specific to tax preparer obligations.
GLBA Safeguards Rule
Aligned with the FTC's GLBA Safeguards Rule (16 CFR Part 314) including designation of a qualified individual, written risk assessments, encryption of customer information, MFA, and incident response procedures.
AICPA Trust Services Criteria
SOC 2 controls are framed against the AICPA Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, and Privacy — relevant to CPA-firm vendor due diligence.
Incident response
Detection through customer notification — what actually happens when something goes wrong.
- 1
Detection
Production environment monitored 24/7 by Sentry, PostHog, and AWS CloudTrail. Anomaly detection rules trigger on unusual access patterns, mass document downloads, privilege escalations, and outbound data transfers above baseline thresholds.
- 2
Triage and containment
An on-call engineer is paged within 5 minutes of a critical alert. Containment playbooks cover compromised credentials (force re-auth + session revocation), data exposure (S3 bucket lockdown, key rotation), and code injection (deploy revert, traffic isolation).
- 3
Customer notification
Material incidents that affect customer data are communicated within 24 hours of confirmation — not the legal maximum. We name the scope, the affected data, the actions we've taken, and what customers need to do (which is usually nothing).
- 4
Post-mortem and remediation
Every incident triggers a blameless post-mortem within 5 business days, with the root cause analysis, contributing factors, and concrete remediation tickets tracked publicly in our internal Linear workspace. Remediation closes within 30 days.
Shared responsibility
Security is a partnership. Here's the line between what TaxScout owns and what your firm owns.
What TaxScout protects
- Infrastructure security (network, servers, database)
- Application security (authentication, encryption, access controls)
- Compliance certifications (SOC 2, GLBA, IRS Pub 4557 alignment)
- Backup, recovery, and continuity of the production environment
- Security monitoring, detection, and incident response
What CPA firms own
- Strong passwords + MFA enrollment for every team member
- Access scope: not granting staff broader roles than they need
- Off-boarding promptly when staff leave the firm
- Local device security (full-disk encryption, screen lock, OS updates)
- Phishing awareness — TaxScout will never ask for your password by email
Security documentation
For vendor reviews, IT compliance teams, and CPA peer-review requirements:
- SOC 2 controls summary — a mapping of our controls to the AICPA Trust Services Criteria, available under NDA today; an independent SOC 2 Type II report is on our roadmap and will be shared once available. Email [email protected] with your firm name + reviewer contact.
- Security whitepaper — detailed architecture, controls, and threat model. Available on request from [email protected].
- Vulnerability reports — disclose responsibly to [email protected]. Acknowledged within 24 hours; safe-harbor under good-faith research.