Security Policy

TaxWallet (“we”, “our”, “us”) implements multi-layered administrative, technical, and physical controls designed to protect personal, financial, and tax information processed on the Platform.

Our security controls are aligned with IRS Publication 4557, NIST 800-53/800-171, SOC 2 principles, FTC Safeguards Rule, GLBA, and standard fintech industry requirements.

This Security Policy applies to all systems, including the web dashboard, mobile applications, APIs, data pipelines, AI/OCR systems, cloud infrastructure, and any third-party integrations.

Security is shared between TaxWallet and the Customer (tax professional, firm, or taxpayer).

TaxWallet provides secure infrastructure, encryption, access control, authentication, audit logging, and monitoring.

The Customer is responsible for:

• Maintaining secure devices and networks.

• Controlling access to user accounts.

• Protecting credentials and preventing unauthorized staff actions.

• Ensuring correct data entry, review, and filing practices.

• Following cybersecurity best practices and IRS e-file security rules.

TaxWallet is not liable for breaches caused by Customer negligence, weak passwords, stolen devices, unpatched systems, insecure Wi-Fi, social engineering attacks, or misuse of the Platform.

All data is protected by strong encryption:

• In transit: TLS 1.2+ using modern cipher suites.

• At rest: AES-256 or equivalent industry-standard encryption.

• Backups: Encrypted before storage and encrypted during transfer.

• Mobile storage: Sensitive tokens are stored using OS-provided secure enclaves when available.

We prohibit plaintext transmission of authentication credentials or taxpayer data at all times.

TaxWallet enforces strict identity verification and access management, including:

• Multi-factor authentication (MFA) for professionals.

• Role-based access controls (RBAC) for tax office teams.

• Session expiration, token rotation, and IP logging.

• Device-level identification for mobile applications.

• Biometric authentication when supported by device hardware.

Customers are responsible for managing access rights of employees, contractors, and temporary staff.

Our infrastructure is hosted on hardened, enterprise-grade cloud environments with:

• Segmented VPC networking and restricted ingress/egress.

• Continuous vulnerability scanning and patch management.

• DDoS protection and traffic filtering.

• Firewalls, WAF layers, and automated bot detection.

• Regular penetration testing and external security audits.

We maintain multi-region redundancy and encrypted backups to ensure availability.

TaxWallet follows secure development practices including:

• OWASP ASVS and OWASP Top 10 controls.

• Code reviews, static analysis, and dependency scanning.

• Signed release builds for mobile applications.

• Sandboxed execution environments for AI/OCR processing.

• Isolation of user data in multi-tenant environments.

Only authorized staff may deploy or modify production code.

We utilize continuous monitoring to detect threats, anomalies, and unauthorized access attempts.

All critical system activities are logged, including:

• Login attempts, authentication changes, MFA events.

• File uploads, downloads, deletions, and e-signature events.

• API access and mobile device interactions.

• Administrative actions within tax firm accounts.

In the event of a confirmed security incident:

• We follow a documented incident response plan.

• We notify affected Controllers without undue delay.

• We cooperate with reasonable investigative efforts.

Mobile applications for iOS and Android are secured using:

• Encrypted local key stores for tokens.

• Device identification (non-personalized).

• Secure camera & document scanning pipelines.

• Runtime protection against tampering or jailbreaking (where supported).

• Least-privilege permission models.

The mobile app never uploads device contacts, messages, or unrelated personal data.

AI/OCR processing is isolated from authentication layers and follows strict data-segmentation practices.

All extracted data is encrypted before being stored or returned to the user.

AI outputs are provided strictly as assistive tools and must be reviewed by the professional.

Controller assumes all responsibility for the accuracy and legal use of AI-assisted or automated data extraction.

TaxWallet uses trusted infrastructure and service partners for:

• Cloud hosting.

• E-signature processing.

• Banking/refund transfer services.

• Identity verification.

• Payment and merchant processing.

• SMS, email, and communication delivery.

All subprocessors are required to meet stringent confidentiality and security obligations.

TaxWallet is not responsible for outages, errors, or breaches occurring within third-party systems.

TaxWallet may provide integrations enabling Customers to accept payments or charge service fees.

TaxWallet does not store full card numbers and never acts as the merchant of record.

Customer acknowledges that:

• All chargebacks, fraud losses, refunds, disputes, and merchant liabilities belong solely to the Customer.

• TaxWallet is not responsible for fraudulent card use or misapplied transactions.

• TaxWallet acts only as a pass-through integration point.

Customer must comply with PCI-DSS requirements when processing payments.

Data is retained only as long as necessary to support the Platform or comply with legal obligations, including IRS and state recordkeeping laws.

Upon termination or written request:

• Data may be exported to the Customer.

• Remaining data will be securely deleted or anonymized unless retention is mandated by law.

Secure deletion follows NIST 800-88 guidelines when applicable.

Production systems are hosted in data centers with:

• 24/7 surveillance and on-site security.

• Biometric access and restricted zones.

• Environmental sensors and redundant power.

• Strict visitor access controls.

TaxWallet does not permit physical access to infrastructure by customers.

All software, AI systems, dashboards, mobile apps, APIs, analytics tools, and infrastructure are proprietary to TaxWallet and architected on Jadee’s system.

Customers receive access only as a limited license, not ownership.

Attempts to reverse engineer, scrape, clone, attack, benchmark, or replicate the Platform are strictly prohibited.

Violations may result in immediate termination and legal action.

While we implement industry-leading security, no system is infallible.

TaxWallet disclaims all liability for:

• Customer negligence or misconfiguration.

• Unauthorized staff access within Customer accounts.

• Compromised devices or networks.

• Third-party platform failures (IRS, states, banks, SMS/email providers, merchant processors).

TaxWallet’s aggregate liability is limited as described in the Terms of Service.

We may update this Security Policy to reflect changes in technology, regulations, or operational requirements.

Material changes will be communicated via email or in-app notification.

Continued use of the Platform constitutes acceptance of the revised policy.

TaxWallet Security & Compliance Office

Email: support@taxwallet.ai

We respond promptly to all security inquiries, regulatory requests, and compliance matters.