Enterprise-Grade Security

Your Tax Data, Protected

TaxBlitz processes sensitive financial data — SSNs, EINs, payment amounts. Security isn't a feature. It's the foundation.

8 Layers of Protection

Encryption at Rest

All PII (SSN, EIN, financial amounts) is encrypted at the field level using AES-256-GCM with per-tenant encryption keys. Database backups are encrypted with separate keys.

Encryption in Transit

All traffic uses TLS 1.3 with HSTS headers. API endpoints enforce HTTPS. Internal service communication uses mutual TLS where applicable.

Authentication

JWT-based authentication with configurable token expiration. TOTP-based two-factor authentication (2FA) available for all accounts. Account lockout after repeated failed attempts.

Access Controls

Role-based access control (RBAC) with distinct roles: admin, preparer, reviewer, read-only. Principle of least privilege enforced across all API endpoints.

PII Masking

SSN/EIN values are masked in all UI views (showing only last 4 digits). Application logs never contain unmasked PII. API responses mask sensitive fields by default.

Breach Detection & Alerting

Automated monitoring for anomalous access patterns, brute force attempts, and data exfiltration indicators. Real-time alerts and automated account lockout on suspicious activity.

Audit Logging

Every data access, modification, form generation, filing, and admin action is logged with timestamps, user IDs, and IP addresses. Audit logs are immutable and retained for 7 years.

Infrastructure

Hosted on Fly.io with automated deployments, health checks, and auto-recovery. PostgreSQL with automated daily backups, point-in-time recovery, and 30-day backup retention.

Compliance Frameworks

Controls implemented

SOC 2 Aligned

Security controls aligned with SOC 2 Trust Service Criteria for security, availability, and confidentiality. Formal audit planned.

Compliant

GDPR

Data processing agreement available. Right to erasure, data portability, and breach notification procedures in place.

Compliant

CCPA

California consumer privacy rights supported. Data deletion and access requests processed within 30 days.

Aligned

IRS Publication 1075

Federal Tax Information (FTI) safeguarding requirements followed for TIN data handling and storage.

Policy ready

HIPAA

HIPAA-aligned data handling policies in place for customers in healthcare-adjacent tax scenarios.

Security Policies

TaxBlitz maintains 11 formal security policy documents. Enterprise customers can request copies.

Information Security Policy
Access Control Policy
Data Retention Policy
Incident Response Plan
Business Continuity Plan
Breach Notification Policy
Data Classification Policy
Vendor Management Policy
Change Management Policy
Risk Assessment Framework
Acceptable Use Policy
Request policy documents → security@taxblitz.io

Responsible Disclosure

Found a security vulnerability? We take reports seriously. Please email us with details and we'll respond within 48 hours.

Report a Vulnerability

Related Documents

Service Level AgreementData Processing AgreementPrivacy Policy