Enterprise-Grade Security
Your Tax Data, Fully Protected
TaxVault handles your most sensitive information — SSN, EIN, financial records. Here's how we keep it safe.
AES-128
Encryption at Rest
57
Tables with RLS
100%
MFA Enforced
0
SQL Injection Risk
🔐
Data Encryption
- ✓SSN, EIN, and TIN encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256)
- ✓All data encrypted in transit via TLS 1.2+
- ✓Database connections secured with SSL
- ✓Encryption key rotation support built in
🛡️
Mandatory MFA
- ✓Two-factor authentication required for every account
- ✓TOTP-based (Google Authenticator, Authy)
- ✓Backup codes for account recovery
- ✓Account lockout after failed attempts
🔑
Password Security
- ✓Argon2id hashing (brute-force resistant)
- ✓Minimum 12 characters with complexity rules
- ✓Checked against breach databases (HIBP)
- ✓HttpOnly secure session cookies
🏢
Tenant Isolation
- ✓PostgreSQL Row-Level Security on all 57 tables
- ✓Every query scoped to authenticated tenant
- ✓Enforced at database level, not just app code
- ✓No tenant can see another tenant's data
🖥️
Infrastructure
- ✓Dedicated US-based server (not shared cloud)
- ✓All data in one location you can point to
- ✓Automated daily database backups
- ✓Docker containers for process isolation
⚙️
Application Security
- ✓CSRF protection on all state-changing requests
- ✓Content Security Policy (CSP) headers
- ✓Rate limiting on authentication endpoints
- ✓All SQL queries parameterized (zero injection risk)
Compliance & Transparency
IRS Compliance
- ✓Aligned with IRS Publication 1075 requirements for handling Federal Tax Information (encryption, access controls, MFA)
- ✓Data retained for the lifetime of your account. You can request deletion at any time.
- ✓Audit logging on administrative operations
- ✓SOC 2 Type II certification planned
Vulnerability Disclosure
We take security reports seriously. If you discover a vulnerability, please contact us.
Report to security@das-tech.us
- We acknowledge reports within 72 hours
- No legal action against good-faith researchers
- Please allow reasonable time before public disclosure
Subprocessors
Third-party services that process data on behalf of TaxVault:
| Service | Purpose | Data Access |
|---|---|---|
| Stripe | Payment processing | Billing info only |
| SendGrid | Email notifications | Email addresses, names |
| Sentry | Error tracking | No PII collected |
| FreshBooks | Accounting sync | Transactions via OAuth |
| QuickBooks | Accounting sync | Transactions via OAuth |
| Xero | Accounting sync | Transactions via OAuth |
Accounting integrations only access your data when you explicitly connect them. You can disconnect at any time.
Questions about how we protect your data?
Contact security@das-tech.us