Infrastructure
- AWS hosting (US-based EC2 instances)
- Amazon RDS with SSL/TLS encryption in transit
- S3 document storage with encryption at rest
- Cloudflare WAF, DDoS protection, and bot mitigation
- Automated daily database backups
- Infrastructure monitoring and alerting
Application Security
- JWT-based authentication with refresh token rotation
- Multi-factor authentication (MFA) support
- Role-based access control with granular permissions
- Organization-level data isolation (every query scoped)
- Comprehensive audit trail for all data changes
- Session management with configurable timeouts
- Cloudflare Turnstile bot verification on login
Data Handling
- All infrastructure US-based (AWS us-west-2)
- Automated daily backups with point-in-time recovery
- Full data export and portability tools
- No third-party data sharing or selling
- Soft-delete architecture preserves audit history
- 30-day data retention after account cancellation
Compliance Roadmap
- SOC 2 Type II preparation in progress (we're honest — we're preparing, not yet certified)
- IRS Publication 4557 guidance awareness for tax practitioner data security
- CCPA and state privacy law compliance
- Regular security assessments and code review
- Responsible disclosure policy for security researchers
A Note on Transparency
We won't claim certifications we don't have. SOC 2 is in preparation. We're building security into the product from the ground up rather than bolting it on later. If you have specific compliance requirements, we're happy to discuss what we have in place and what's on the roadmap.
Security and admin settings — role-based access, audit trails, and organization controls.
Have specific security questions? We're happy to answer them directly.
Contact Us About Security