Your Data Security Is Our Priority

You trust us with your most sensitive financial information. We take that responsibility seriously. Here is exactly how we protect your data.

How We Protect Your Data

Every layer of our platform is built with security in mind — from encryption and authentication to access control and audit logging.

AES-256 Encryption

All sensitive data encrypted at rest using AES-256, the same standard used by banks and government agencies
All data transmitted over TLS (HTTPS) — encrypted in transit between your browser and our servers
Encryption keys managed separately from application data

Multi-Factor Authentication

TOTP-based two-factor authentication (Google Authenticator, Authy, or any TOTP app)
One-time backup codes for account recovery if you lose your authenticator
MFA can only be disabled after password verification

Password & Session Security

Passwords hashed with BCrypt (strength 12) — even we cannot see your password
Strong password policy: 12+ characters, uppercase, lowercase, digit, and special character required
Password history tracking — your last 5 passwords cannot be reused
Access tokens expire every 15 minutes with automatic refresh
Idle session timeout with warning before automatic logout

Role-Based Access Control

Seven distinct roles (Super Admin, Admin, Advisor, Preparer, Reviewer, Client, Lead) with granular permissions
Clients can only access their own documents and data
Advisors see only the clients assigned to them
Administrative actions restricted to authorized personnel only

Audit Logging & Monitoring

Every login attempt (success and failure) logged with IP address and timestamp
All document access (view, download, preview) recorded in the audit trail
Role changes and administrative actions logged with who made the change
PII automatically masked in logs — SSN patterns are never stored in plain text
Download threshold alerts: unusual document access patterns trigger admin notifications

Document Security

Time-limited upload links — expired links cannot be reused
Documents stored in cloud storage with OAuth2-authenticated access
Role-based document access — only authorized users can view or download
Document lifecycle tracking from upload through review to completion

IRS E-Signature Compliance (Form 8879)

Form 8879 signing via DocuSeal — a purpose-built e-signature platform
Secure magic link tokens (cryptographically random) with 72-hour expiration
Identity verification with maximum 3 attempts before lockout
Complete audit trail: who signed, when, and from which device
Signer role tracking (taxpayer, spouse, preparer) with verification status

API & Infrastructure Security

Rate limiting on authentication endpoints (3-10 requests per minute) to prevent brute-force attacks
CSRF protection using double-submit cookie pattern
Input validation on all data entry points to prevent injection attacks
Service-to-service authentication with constant-time key comparison to prevent timing attacks
Account locking after multiple failed login attempts

What We Do Not Do

Transparency means telling you what we don't do, too.

We do not sell or share your personal data with third parties

Your data is used solely for preparing and filing your tax returns.

We do not store your password in readable form

Passwords are hashed with BCrypt before storage — even we cannot see them.

We do not retain your credit card details

All payments are processed securely by Stripe. Card data never touches our servers.

We do not allow unauthorized access to client documents

Every document access is role-checked and logged in the audit trail.

We do not send sensitive information via email

SSNs, account numbers, and tax documents are shared only through our secure portal.

We do not use your data for marketing or analytics

Your financial information is never used for purposes beyond your tax engagement.

Organizational Security

Security is an organizational commitment, not just a technical checklist.

ISO 27001 Certified Parent

SSBAFA is a subsidiary of SSBA Innovations Ltd., which holds ISO 27001 certification for its India operations and service delivery — the international standard for information security management.

Certification scope: SSBA Innovations India office and services. US entity scope extension on our roadmap.

Framework-Aligned Practices

Our platform's security controls — encryption, access management, audit logging, password policies, and incident response — are implemented consistent with the ISO 27001 framework across all offices and systems.

Security-First Culture

Security awareness is embedded in our team practices. Access to client data follows the principle of least privilege. All administrative actions are logged and reviewed. Employee access is revoked immediately upon role change or departure.

Security Questions

Common questions about how we handle your data

Is my financial data encrypted?

Yes. All sensitive data is encrypted at rest using AES-256 encryption, and all data in transit is protected by TLS (HTTPS). Your Social Security Number, bank account details, and other PII are never stored in plain text.

Who can access my documents?

Only you and the tax professional assigned to your engagement can access your documents. Our role-based access control ensures that each user can only see data they are authorized to view. All document access is logged in the audit trail.

Do you support two-factor authentication?

Yes. We support TOTP-based two-factor authentication using apps like Google Authenticator or Authy. We also provide one-time backup codes for account recovery. We strongly recommend enabling MFA on your account.

How do you handle IRS Form 8879 e-signatures?

Form 8879 is signed through DocuSeal, a secure e-signature platform. You receive a time-limited magic link (expires in 72 hours) to sign. Identity verification is required, and the complete signing audit trail is preserved for IRS compliance.

What happens if someone tries to brute-force my account?

Authentication endpoints are rate-limited to prevent brute-force attacks (3-10 attempts per minute depending on the endpoint). After multiple failed login attempts, your account is automatically locked and can only be unlocked by an administrator.

Can your employees see my password?

No. Passwords are hashed using BCrypt before storage. Hashing is a one-way process — even our database administrators cannot retrieve or view your password. If you forget your password, you must reset it; we cannot look it up.

How long are login sessions active?

Access tokens expire every 15 minutes and are automatically refreshed in the background while you are active. If you are idle for an extended period, you will be warned before your session expires and will need to log in again.

Do you sell or share my data with third parties?

No. We do not sell your personal or financial data to any third party. Your data is used solely for preparing and filing your tax returns. For full details, see our Privacy Policy.

Questions About Our Security?

If you have specific questions about how we handle your data, our team is happy to walk you through our security practices.