Data Security and Compliance
Securing your Data is our Highest Priority
Our team understands how important data security is to our clients. To provide the highest standard of data security, we take a layered approach to secure data and implement various proven methodologies.
Here is a complete overview of the security standards and protocols Tax990 has in place to safeguard our client’s data.
SOC 2 Compliance
Tax990 is SOC 2 certified e-file provider. As required by SOC 2 compliance, we undergo regular audits to ensure that we protect our user data and privacy at every stage.
We adhere to all the regulations of the California Consumer Privacy Act (CCPA) when handling the personal information (PI) of California residents.
PCI DSS Compliance
All the payment processing tools used by Tax990 adhere to PCI-compliance requirements for encrypting and securely transmitting credit card information.
Add another layer of security to your account with the multi-factor authentication feature. This requires you to verify your identity by entering a unique code sent to you each time you sign in.
Our firewall monitors and prevents any suspicious or unnecessary traffic from accessing the system.
Our system is protected by antivirus software that serves as a powerful defense mechanism against viruses and other types of malicious software.
PII Data Security
We follow all the regulations of PII data security standards to ensure that your personal information (Social Security numbers, email addresses, phone numbers, etc.) is secure.
Encryption - Data-in-Rest, Data-in-Motion & Data-in-Use
All client data that is stored in our database (Data-in-rest) or transferred between networks or devices (Data-in-motion) is encrypted.
We follow SSL (Secure Sockets Layer) and TLS (Transport Layer Security) cryptographic protocols to encrypt data that is currently being accessed or read (Data-in-use).
To maintain the security and privacy of the database system, we perform data fragmentation. We frequently carry out data backups as a preventive measure against any unprecedented security incidents. Learn more about preventative measures
Defense In-Depth Security
A Defense In-Depth (DID) security approach is used to guard client information across our database. This includes multiple layers of security mechanisms and controls.
Oracle Cloud Infrastructure Security
Our database is maintained through Oracle Cloud Infrastructure Security, and our servers are under Compute Security protection. Through Application Segmentation, all the sensitive data in our database remains isolated and unbreachable.
A dedicated whitelist is associated with an individual instance in the cloud, allowing only specific sources to communicate with the instance.
Data Loss Prevention
Data Loss Prevention (DLP) practices are carried out to avoid loss of sensitive data and data exfiltration from our system.
Secure Remote Access - VPN
Access to all our servers, data, and tools is restricted to allow only authorized SPAN corporate personnel who are connected through our secure VPN network. Only the IP addresses from select geographical locations that we have authorized can access our network.
Access to our system through any unauthorized wireless networks is restricted to prevent the confidentiality of all our data.
Perimeter Security - WAF for Application
Our Web Application Firewall inspects the traffic to our application and filters out anything that is suspicious and malicious.
Internet URL Filtering
To prevent the entry of any security threats into our system, access to websites that contain potentially malicious content (Eg: Phishing Pages) is restricted throughout our network.
Secure Software Development -DevSecOps
We rely on the DevSecOps approach and follow Secure Software development practices to ensure that our application possesses all the security requirements for each stage of software development.
By foreseeing potential security threats and vulnerabilities right at the development of our application, we formulate strategies to negate and nullify them.
As there is a possibility of APIs exposing sensitive data, we have a designated security checklist for the APIs. This helps us identify and eliminate any potential security vulnerabilities in our API endpoints.
Tax990 is prepared to address any and all unprecedented and unexpected security incidents with immediate solutions. In the event of an incident, our team will take urgent action so that our clients are unaffected.
We don’t leave any room for security issues that may arise with our application changes or other software updates. We have various countermeasures to make sure that all our data and services are minimally impacted by any such changes.
We have clearly defined policies in place to ensure maximum data security. We adhere to these policies in all day-to-day practices and activities related to data.
Security Awareness Training
The Tax990 team has a clear-cut understanding of data security. We continuously educate ourselves with new technologies and security mechanisms to counter any unprecedented threats.
Robust Architecture and Design
We have streamlined workflows and models to depict our security framework, defining the implementation and ongoing management of all our security methodologies and standards.
The responsible personnel and notification procedures in the event of any security incidents for each escalation level have been clearly defined and are being followed. In the event of an escalation, the responsible personnel will take the necessary actions at each level.
Frequently, there will be simulated cyber attacks made on our application and database by our security engineering team to test the effectiveness of all the security mechanisms and technologies we have implemented.
Monitoring and Response
There is constant monitoring of our network and application to identify any potential security threats. When there is such a threat identified, we perform event log analysis to respond with proactive measures for negating the threat.
We perform a sequence of server hardening processes to eliminate all the potential vulnerable points for security attacks in our servers.