Back to TaxTidyTaxTidyTaxTidy

Security

Your financial data deserves the highest level of protection. TaxTidy is built with security-first architecture aligned with SOC 2 Type 1 principles.

SOC 2 AlignedTLS 1.2+ EncryptedGDPR CompliantRLS EnforcedPCI DSS (via Stripe)

How We Protect Your Data

Encryption Everywhere

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Your receipt images, expense records, and financial data never travel unprotected.

Row Level Security

Every database table enforces row-level security at the PostgreSQL level. Even if application code has a bug, the database itself will reject unauthorized access.

Comprehensive Audit Trail

13 action types are logged with timestamps, IP addresses, and full context. Every receipt scan, export, login, and account change is recorded.

Input Validation

All API inputs are validated with strict Zod schemas before processing. File uploads are restricted by type and size. Financial inputs are bounds-checked.

Rate Limiting

Tier-aware rate limiting protects against abuse. Atomic database counters prevent race conditions. Separate burst and daily limits for all AI endpoints.

Security Headers

Content Security Policy, HSTS (2-year preload), X-Frame-Options DENY, strict Referrer-Policy, and Permissions-Policy are enforced on every response.

What We Never Do

  • We never store your credit card numbers. Stripe handles all payment data.
  • We never sell your data to third parties.
  • We never use your financial data to train AI models.
  • We never access your data without your authentication.
  • We never send unencrypted financial data over the network.

Your Data, Your Control

  • Export anytime: Download a complete ZIP of all your data — expenses, receipts, statements, reports, and chat history — with one click in Settings.
  • Delete anytime: Request full account deletion in Settings. All data is permanently removed, including storage objects and Stripe subscriptions.
  • Transparent logging: View your own audit log to see every action taken on your account.

Security Documentation

Security Controls Inventory
Complete catalog of all security controls implemented in TaxTidy.
Access Management Policy
How user access, permissions, and API keys are managed and revoked.
Data Handling Procedures
How your financial data is collected, processed, stored, and disposed of.
Incident Response Plan
How we detect, respond to, and recover from security incidents.
Change Management Policy
How code changes are tested, reviewed, deployed, and rolled back.

Infrastructure Partners

ProviderRoleCompliance
SupabaseDatabase, Auth, StorageSOC 2 Type II
StripePayment ProcessingPCI DSS Level 1
VercelHosting & Edge NetworkSOC 2 Type II
OpenAIReceipt OCR, Categorization & Statement ProcessingSOC 2 Type II
GoogleAI Tax Assistant (Fin)SOC 2 Type II
SentryError MonitoringSOC 2 Type II

Continuous Verification

TaxTidy maintains 103+ automated tests covering rate limiting, input validation, tier gating, duplicate detection, and API route behavior. Every code change is automatically tested, type-checked, and linted before deployment. Deployments are atomic and zero-downtime via Vercel, with instant rollback capability.

Questions or Concerns?

If you have security questions or want to report a vulnerability, contact us at security@taxtidy.app