Data Security and Compliance

• SOC 2 Compliance

• SOC 2 certification is a security standard for service organizations developed by the American Institute of CPAs (AICPA). It requires companies to establish and maintain a set of controls and procedures to ensure the confidentiality, integrity, and availability of client data.
• These controls include policies and procedures related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 audits evaluate whether a company's systems and processes meet these standards.
• As a SOC 2 certified e-file provider, TaxBandits undergoes regular audits to ensure that its system and processes meet the SOC 2 standards. This means that TaxBandits has established and maintains a set of controls and procedures to protect client data and privacy throughout every aspect of operations.

• HIPAA Compliance

• The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets standards for the protection of Protected Health Information (PHI).
• PHI includes any information that can be used to identify a patient or their health condition, and as such, it is highly sensitive information that requires strong security measures to protect it.
• As a provider of services that handle PHI, TaxBandits has implemented all the required security measures to comply with HIPAA regulations. These measures include technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI.

• CCPA Compliance

• The California Consumer Privacy Act (CCPA) is a privacy law that gives California residents certain rights over their personal information (PI).
• PI includes any information that identifies, relates to, describes, or can be associated with a particular person or household.
• As a provider of services that handles PI of California residents, TaxBandits adheres to all the regulations of the CCPA. This means that TaxBandits provides California residents with the right to know what PI is being collected, the right to access their PI, the right to have their PI deleted, and the right to opt out of the
  sale of their PI.

• PCI DSS Compliance

• The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures established to ensure safe credit, debit and cash card transactions and prevent the misuse of personal information of the cardholders.
• All the payment processing tools used by TaxBandits adhere to PCI-compliance requirements for encrypting and securely transmitting credit card data.

• Two Factor Authentication (2FA)

  TaxBandits clients can enable 2-FA Authentication and add an additional layer of security to their account. We provide our clients with an option to choose from Google Authenticator, Authy by Twilio, Microsoft Authenticator, Last Pass, and the 2FA Authenticator applications. Learn more

• Firewall

  We implemented a Web Application Firewall that filters incoming traffic, scrutinizing requests for malicious patterns, ensuring only authorized and authentic access.

• Antivirus

  Our system is protected by antivirus software that continuously monitors device behavior, files, and applications, identifying anomalies and thwarting potential threats.

• PII Data Security

  We follow all the standard regulations of PII data security to ensure that our clients’ personal information (Social Security numbers, email addresses, phone numbers, etc) are secure.

• Encryption - Data-in-Rest, Data-in-Motion & Data-in-Use

  We encrypt all client data that is stored in our database (Data-in-rest) and data that is transmitted between networks or devices (data-in-motion).

  We also follow SSL (Secure Sockets Layer) and TLS (Transport Layer Security) cryptography protocols to encrypt the data that is being accessed or read (Data-in-use) at any given time.

• Database Management

  Access to production databases is restricted to only those who have a specific need to access the production data. We also perform data fragmentation and frequently carry out data backups as a preventive measure against unprecedented security incidents.

• Defense In-Depth Security

  We follow Defense-in-depth security architecture, i.e., layered security that incorporates different levels of security mechanisms and controls.

• Oracle Cloud Infrastructure Security

  Our database is maintained through Oracle Cloud Infrastructure Security, and our servers are under Compute Security protection.

  A dedicated whitelist is associated with an individual instance in the cloud, allowing only specific sources to communicate to the instance.

• Data Loss Prevention

  Standard Data Loss Prevention (DLP) practices are carried out to avoid loss of sensitive data and data exfiltration from our system.

• Email Security

  TaxBandits ensures email security by implementing DMARC, DKIM, and SPF measures. This helps authenticate and verify legitimacy, preventing spoofing and phishing attacks.

In accordance with IRS guidelines, TaxBandits takes multiple measures to prevent identity theft and block fraudulent filings. Our top priority is safeguarding our clients' sensitive data and maintaining the integrity of our e-filing solution.

• Identity Verification

  We have partnered with Veriff, a third-party provider, to offer a robust identity verification solution that protects you against identity theft and fraudulent activity.

  The identity verification process is a one-time procedure that applies to your TaxBandits account. Once verified, your information is protected for all future interactions with TaxBandits. This streamlined approach not only saves you time but provides continuous protection.

  Specifically, this helps to:

• Prevent fraudulent tax refund claims
• Eliminate unauthorized form submissions
• Prevent unauthorized use of credit cards

• Fraud Patterns

  Our system automatically detects suspicious tax filings based on certain pre-defined fraud patterns (specific to each form type). This helps us prevent fraudulent refund claims. Learn More

• Secure Remote Access - VPN

  Access to all our servers, data, and tools has been restricted to allow only authorized TaxBandits corporate personnel who are connected through our secure VPN network. Only the IP addresses from selected geographical locations that we have authorized can access our network.

• Wireless Security

  Accessing our system through any unauthorized wireless networks is restricted to prevent the confidentiality of all our data.

• Internet URL Filtering

  To prevent the entry of any security threats into our system, access to websites that contain potentially malicious content (Eg: Phishing Pages) is restricted throughout our network.

• Secure Software Development -DevSecOps

  We follow the Dev Ops Methodology for Testing and deploying to ensure secure software development with the implementation of standard security measures throughout the development cycle.

• Threat Modeling

  We formulate strategies to negate and nullify potential security threats and vulnerabilities right at the development of our application.

• API Security

  As there is a possibility of APIs exposing sensitive data, we have a designated security checklist for the APIs. This helps us identify and eliminate any potential security vulnerabilities in our API endpoints.

• Incident Management

  We have streamlined countermeasures in place in case of any unprecedented and unexpected
  security incidents.

• Change Management

  We adhere to a standard process that involves careful planning, testing, and validation to ensure that every change is introduced without posing any risks to the data.

• Security Policies

  Our security policies comprise numerous measures and guidelines starting from access controls and encryption protocols to regular audits and vulnerability assessments, to which we strictly adhere to ensure complete
  data protection.

• Security Awareness Training

  The team at TaxBandits has a clear-cut understanding of data security and constantly stays ahead of new technologies and security mechanisms that counter security threats.

  This culture of awareness strengthens our collective defense and reinforces our commitment to data security.

• Escalation Matrix

  In the event of any security incidents, the responsible personnel and notification procedures for each escalation level are clearly designed and are being followed.

• Penetration Testing

  Our penetration testing practices are aligned with OWASP standards, a comprehensive guide to identifying and mitigating security vulnerabilities in web applications. We frequently test our systems to uncover potential vulnerabilities.

• Monitoring and Response

  We regularly monitor and scan our network and application to identify any potential security threats. When there is such a threat identified, we perform event log analysis to respond with proactive measures for
  negating the threat.

• Windows/Server Hardening

  We implement a sequence of server hardening processes to eliminate the potentially vulnerable points for security attacks in our servers.