Authenticator & TOTP Security Policy

This Authenticator & TOTP Security Policy (“Policy”) governs the TaxWallet Authenticator module (“Authenticator”), a standalone security feature that allows users to generate Time-Based One-Time Passwords (TOTP) for their TaxWallet accounts and for third-party integrations.

The Authenticator is treated as an independent module, separate from all other TaxWallet Services. Use of this feature constitutes agreement to this Policy and its liability limitations.

This Policy applies to all users of the TaxWallet Authenticator, including tax professionals, staff, administrators, and taxpayers.

The Authenticator uses a zero-knowledge encryption architecture, meaning:

• TOTP secrets (seed keys) are encrypted on the user’s device using encryption keys derived from the user's credentials,

• TaxWallet cannot access, decrypt, or recover user TOTP secrets under any circumstances,

• No employee, system administrator, contractor, or partner has the ability to view or extract the secret keys stored on a user's device.

The only time TOTP data leaves a device is when a user elects to create an encrypted backup, which remains accessible only to the user.

By enabling the Authenticator, users acknowledge and agree:

• They are solely responsible for maintaining access to their device and Authenticator setup.

• They are solely responsible for saving backup codes or encrypted backups if they choose to do so.

• TaxWallet cannot restore, regenerate, or decrypt TOTP secrets.

• Loss of a device, reset of a device, or deletion of app data may result in permanent loss of authenticator access.

Users assume all risk and liability associated with TOTP loss, misconfiguration, or unavailability.

TOTP secrets generated or stored by the Authenticator are not recoverable by TaxWallet.

If a user loses access to their device and has not created an encrypted backup, TaxWallet cannot:

• Restore authenticator setups,

• Recover encrypted TOTP secrets,

• Override zero-knowledge encryption,

• Bypass MFA requirements on third-party systems.

Account lockouts resulting from lost authenticator access do not constitute platform failure and are not grounds for refunds or billing adjustments.

The Authenticator stores encrypted TOTP secrets locally in the user's device using:

• iOS Secure Enclave / Keychain,

• Android Keystore,

• TaxWallet encrypted vault storage for app-level storage.

If a user elects to create an encrypted backup, the backup is encrypted using keys derived from the user’s login credentials.

TaxWallet does not maintain a copy of backup keys and cannot decrypt or restore backup content.

The Authenticator may request the following permissions:

• Camera — used to scan QR codes for adding authenticator accounts.

• Biometric Authentication — used to protect access to stored TOTP codes.

• Device Storage — used to store encrypted authenticator data.

• Notifications — to deliver alerts related to login attempts or account security.

The Authenticator does not access contacts, SMS, photos (except QR scans), call logs, or background data unrelated to authentication.

To maintain audit integrity and prevent fraud, TaxWallet may log the following non-secret metadata:

• Timestamp of authenticator use,

• Device model and installation ID,

• IP address and geolocation region,

• Session identifiers,

• MFA challenge results.

TaxWallet does not log or store TOTP secrets, QR seed codes, or unencrypted sensitive authentication data.

The Authenticator is accessible within:

• The TaxWallet mobile app (iOS & Android), under Profile → Authenticator,

• The user profile section on the main platform.

The Authenticator may be used for:

• TaxWallet account login MFA,

• Approving sensitive actions (refund transfers, bank connection, profile edits),

• Authentication for connected third-party services.

Enabling MFA does not guarantee prevention of account takeover but materially reduces the risk of unauthorized access.

Users may not:

• Attempt to extract, tamper with, or reverse-engineer encrypted TOTP secrets,

• Use the Authenticator for any illegal or prohibited activity,

• Store unauthorized third-party secrets belonging to individuals without consent,

• Attempt to bypass or disable MFA requirements imposed by TaxWallet.

Violations may result in account suspension or permanent termination.

The Authenticator is provided strictly on an “AS IS” basis.

TaxWallet disclaims all warranties concerning:

• Availability of authenticator functionality,

• Continuity of device access or storage stability,

• Restoration of lost secrets or MFA credentials,

• Compatibility with third-party authenticator requirements.

Users agree that TaxWallet is not liable for:

• Account lockouts,

• Lost productivity,

• Missed filing deadlines,

• Failed logins,

• Third-party service inaccessibility,

arising from lost or inaccessible TOTP data.

TaxWallet may update this Policy at any time to reflect security improvements, regulatory requirements, or product changes.

Material updates will be communicated through app notifications or dashboard alerts.

Continued use of the Authenticator constitutes acceptance of any updated terms.

TaxWallet Security & Compliance Office

Email: support@taxwallet.ai

For authenticator issues, please include your device model and installation ID.