Security & Privacy

Your tax data, your machine, your control.

Six security pillars — from the moment you upload a document to the moment your return is filed. Raw documents are extracted locally and scrubbed of PII before anything reaches a cloud model. Here is exactly how we handle your data, in plain terms.

AES-256 at restTLS 1.3 in transit§7525 practitioner privilegeLocal OCR, PII-scrubbed
§ 01 — Encryption

AES-256 at rest. TLS 1.3 in transit.

Every document, return, and data record is encrypted at rest using AES-256-GCM, and the sovereign hardware that handles raw documents runs on APFS-encrypted drives. All data in transit is protected by TLS 1.3 — the strongest transport protocol widely available. No exceptions for internal services.

AES-256
Encryption standard
TLS 1.3
Transport security
GCM
Authenticated mode
§ 02 — Data Residency

Your data stays on US-based infrastructure.

Application data is stored on US-based cloud infrastructure (Vercel and Supabase, with Postgres in US regions). Raw documents are extracted on our sovereign hardware located in the United States before anything is written to the cloud. We do not store client data in regions outside US jurisdiction.

US
Hosting regions
Postgres
Encrypted at rest
Local
Raw-doc extraction
§ 03 — AI Training Policy

§7216 compliant. Your return never trains our models.

Under IRC §7216, using client return data to train AI models without explicit written consent is a federal offense. We do not train on your tax returns. AI models improve from anonymized structural patterns — never from your personally identifiable financial data. Genie learns from IRS publications, revenue rulings, and tax court decisions, not your return.

§7216
Federal compliance
Opt-in
Required for any data use
Anonymized
Training signals only
§ 04 — Access Control

Licensed professionals only. Every access logged.

Your documents are accessible only to the licensed professional assigned to your return, under strict NDA. Every document access is logged with timestamp, user ID, and action. No general staff access. No offshore contractors. Internal access requires multi-factor authentication and is revoked promptly on role change.

MFA
Required for all access
Audit log
On every access
NDA
Every team member
§ 05 — Sovereign Architecture

Raw documents are extracted locally, then PII-scrubbed.

Document OCR and extraction run locally on our sovereign hardware — your raw document bytes are processed on our encrypted drives, not uploaded to a cloud AI vendor. Before any text leaves for cloud AI strategy generation, it is PII-scrubbed: SSNs, EINs, and account numbers are masked first. Bank connections run through Plaid directly. The platform itself is hosted on Vercel and Supabase, so we are transparent that those providers hold application data in encrypted Postgres.

Local
OCR processing
Scrubbed
PII masked pre-cloud
Plaid
Direct bank link
§ 06 — Compliance

WISP-governed. §7525 practitioner privilege.

TaxosAgent operates under an IRS Written Information Security Plan (WISP) per IRS Publication 5293. Communications between you and our licensed professionals are protected by §7525 practitioner-client privilege — the same protection as an attorney-client relationship for federal tax matters. Every return is prepared, signed, and e-filed by a licensed professional on our network, under their own IRS authorization. SOC 2 Type II is on our security roadmap; until an audit is complete we make no claim of certification.

§7525
Practitioner privilege
WISP
IRS Pub 5293 governed
e-file
By licensed pros
§ 07 — Retention & Deletion

Your data is yours to delete.

We retain tax records only as long as needed to serve you and to satisfy IRS recordkeeping requirements. You can request a copy of your data, or request deletion of records we are not legally required to keep, by emailing privacy@taxosagent.com from the email on your account. We confirm receipt and act on verified deletion requests within 30 days. Full details live in our privacy policy.

Questions?

Talk to our security team. No runaround.

Report a vulnerability, request a copy of our WISP, ask about our SOC 2 Type II roadmap, or verify our §7525 practitioner coverage. Straight answers, no runaround.

security@taxosagent.com