Services Pricing Tools FAQ Blog Partners Contact Log In Sign Up Start Free →
Security & Compliance

Built for trader-tax CPAs.
Built around how trader-tax data should actually be handled.

Tax preparation generates some of the most sensitive data in any client relationship — SSNs, brokerage account numbers, FBAR-reportable balances, retirement contributions. TraderTax is built to handle it the way a CPA firm IT department would design it themselves.

10+
Compliance standards aligned
100%
Paid-state writes server-side
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
A Quick Scan

Eight things every page does, before any data moves.

Every request to TraderTax runs through this stack before it touches a database or a third party. None of it is optional, none of it is a setting a client can turn off, none of it depends on a CPA partner remembering to enable a feature.

🔐
TLS 1.3 in transit
Every byte between you, your CPA, and our servers is encrypted end-to-end. HSTS preloaded.
🗄️
AES-256 at rest
Google Cloud storage and Firestore encrypt every document and database row at rest with rotating keys.
🛡️
Row-level Firestore rules
Hardened access control: clients see only their own data, CPAs see only their assigned clients, admins see all. Enforced at the database layer.
📱
MFA available
TOTP authenticator + SMS second-factor available on every account. Staff enforcement is the next item we're shipping.
💳
HMAC-verified payments
Stripe webhook signatures verified on every event with a 300-second time window. Paid state is written by the webhook only — no client browser can self-comp.
📜
Append-only audit logs
Every sensitive read — admin opens a client profile, CPA opens a workspace — writes an immutable log entry. Patterns followed: IRS Pub 4557 + §314.4(c)(1).
🕶️
PII scrubbing in observability
Emails, UIDs, phone numbers, SSNs, and tax IDs are redacted before any error or analytics payload leaves our process. Sentry and PostHog never see raw PII.
🔏
SHA-256 document hashing
Every e-signed document is hashed and audit-recorded. If a signed PDF is later altered, the hash mismatch surfaces the change.
Compliance & Standards

Built to the regulations tax preparers actually face.

Generic SaaS platforms point at SOC 2 and call it done. Tax-specific compliance — IRS Pub 4557, §7216, IRC e-signature rules — is what your state board, your E&O carrier, and a Schedule C audit actually look at. TraderTax is built to those standards.

🇺🇸
IRS Pub 4557 Aligned
"Safeguarding Taxpayer Data" — the IRS's reference standard for tax preparers handling personally identifiable information. Audit logs, access controls, encryption, and incident response procedures in place. MFA is available (TOTP + SMS) and will be required for all staff before the next tax season.
📋
IRC §7216 — Tax Preparer Privacy Aligned
Federal law restricting how tax preparers can use or disclose taxpayer return information. Penalties up to $1,000 per violation plus prison. Explicit consent flows in place; no third-party data sale; all disclosures logged.
✍️
UETA + ESIGN Act Compliant
Uniform Electronic Transactions Act and the federal Electronic Signatures in Global and National Commerce Act. All four legal requirements met: intent to sign, consent to do business electronically, association of signature with record, record retention.
📝
IRS Forms 8878 + 8879 Capable
Our e-signature engine meets the IRS requirements for electronic signing of Form 8879 (taxpayer e-file authorization) and Form 8878 (ERO authorization for paper-filed returns): recorded intent, identity verification via Firebase Auth, SHA-256 record hashing, and designed to support the 7-year IRS retention requirement.
🌐
CCPA Compliant
California Consumer Privacy Act. We don't sell user data. We share only with the processors required to operate the platform — Stripe for payment, SendGrid for transactional email, GoHighLevel for CRM. Account deletion supported on request via support@tradertax.net. Cookies disclosed and consent-gated.
🇪🇺
GDPR Aligned
EU General Data Protection Regulation. TraderTax is US-focused, but the same data-deletion and data-portability rights apply on request. Right-to-erasure is supported on request — email support@tradertax.net. PII is also pre-scrubbed before any error or analytics payload reaches Sentry or PostHog.
☁️
Google Cloud Platform Inherited
All TraderTax data lives on Google Cloud / Firebase infrastructure, which carries SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, FedRAMP, HIPAA, and CSA STAR certifications. We inherit these baseline controls automatically.
💳
Stripe — PCI DSS Level 1 Inherited
All credit card processing routes through Stripe. Card numbers, CVVs, and expiration dates never touch TraderTax servers. Stripe is certified PCI DSS Service Provider Level 1 — the highest tier.
Defense in Depth

Six keys behind every sensitive operation.

No single check is the gatekeeper. Every read or write to a sensitive document passes through all six of these in sequence. If any one fails, the operation is denied — silently from the attacker's perspective, observably from our monitoring.

🔑
Firebase Auth Token
Verified JWT on every request
🔑
Row-Level Rule
Per-document access check in Firestore
🔑
Storage Path Scope
Each client's files are scoped to their own storage path; cross-client reads are denied at the rule layer.
🔑
Document Hash
SHA-256 anti-tamper signature
🔑
E-Sign Audit Record
Append-only chain of custody
🔑
TLS 1.3 Transport
Perfect forward secrecy
For Tax CPAs Evaluating TraderTax

Most CPA practice tools were built for generic accountants.

TraderTax is built specifically for traders, which means the threat model has to handle prop firm 1099-NEC structuring, offshore brokerage statements subject to FBAR / FATCA disclosure, §475 mark-to-market elections, and the §1256 60/40 contract split — none of which generic practice-management tools account for. We started with the trader workload and worked the security posture outward, rather than retrofitting controls onto a general-purpose CRM. If your firm's IT department or E&O carrier sends a vendor questionnaire (SIG Lite, CAIQ, or custom), we'll complete it in writing within 5 business days.

Receipts

Don't take our word for it.

Every claim on this page maps to a piece of source code, a deployed config, or a published policy. Verify any of it.

Report a Vulnerability
If you've found a security issue, email us at security@tradertax.net. We acknowledge within 2 business days and respond with a remediation timeline within 5. We don't pursue legal action against good-faith researchers.
Privacy Policy
CCPA + GDPR-aligned. Covers data we collect, how we use it, who we share it with (and don't), and your rights to access / delete.
Terms of Service
Legal terms governing your use of the platform, including data handling, e-signature legitimacy, and acceptable use.
This page is verifiable. Every alignment claim above can be cross-referenced against the deployed Firestore rules, the live Stripe webhook configuration, and the Sentry PII scrubber. If your firm's IT or compliance team wants a vendor security questionnaire (SIG Lite, CAIQ, or your custom form), email security@tradertax.net — we'll complete it within 5 business days.