This is 3520file's customer-facing summary of how we safeguard taxpayer data. The framework is IRS Publication 4557 (the data-security mandate for paid tax preparers) and the FTC Safeguards Rule under GLBA (16 CFR Part 314). Read this alongside our Privacy Policy for the complete picture.

1. Our Compliance Posture

Our security program is built around: IRS Publication 4557 (Safeguarding Taxpayer Data); the FTC Safeguards Rule under the Gramm-Leach-Bliley Act (16 CFR Part 314, updated 2023); applicable state breach-notification laws including California (Cal. Civ. Code § 1798.82), New York (SHIELD Act), and Massachusetts (201 CMR 17.00). Payment data is handled by Stripe under PCI-DSS Level 1. We review and update this program when our vendor mix, product surface, or the threat landscape changes materially.

2. Encryption and Key Management

All data at rest is encrypted with AES-256-GCM. SSN and ITIN values receive column-level encryption on top of disk-level encryption. All data in transit is protected by TLS 1.3 with modern cipher suites. Application secrets (API keys, signing keys) are stored in a secrets manager and never written to source control.

3. Access Controls

Production data access is restricted to authorized personnel and requires multi-factor authentication. Access is granted on a least-privilege basis. All writes to taxpayer records are logged to an immutable audit trail retained for the same 7 years as your filing records. We do not store production data on laptops, mobile devices, or removable storage; production data is never copied to non-production environments.

4. Network and Infrastructure Security

Our infrastructure runs on Railway, a SOC 2 Type 2 certified hosting provider built on top of Google Cloud Platform infrastructure. Cloudflare protects every public endpoint with TLS termination, DDoS mitigation, and bot management. Our application has a documented network architecture with private database subnets, no public database endpoints, and least-privilege IAM. We use container isolation, network segmentation, automated dependency scanning, and continuous vulnerability monitoring.

5. Vendor Management

Every third party that touches taxpayer data is reviewed before integration. We select vendors with their own SOC 2 / PCI-DSS attestations where the data type warrants it. Current subprocessors: Clerk (authentication), Stripe (payments, PCI-DSS Level 1), Resend (transactional email, SOC 2 Type 2), Railway (hosting, SOC 2 Type 2), Cloudflare (DNS/CDN, SOC 2 Type 2), OpenExchangeRates (FX rates only, no PII transmitted), PostHog (anonymous analytics), Sentry (error monitoring without PII).

6. Personnel Security

Anyone with access to taxpayer data is bound by a confidentiality agreement and trained on IRS Pub 4557 (data-security obligations of paid tax preparers) and phishing recognition. Access is provisioned only after that training, and revoked on role change or departure.

7. Incident Response

We maintain a documented incident-response plan covering detection, triage, containment, recovery, and post-incident review. The plan names the responsible parties, the legal notification timelines (72 hours under GDPR, 30 days under most US state laws, consistent with IRS Pub 4557), and the customer-communication procedure. If a security incident affects your data, we will notify you and applicable regulators within the legally required timeframe. Suspected incidents: security@3520file.com.

8. Backup and Disaster Recovery

Database backups run automatically with point-in-time recovery, encrypted at the same standard as production data, and stored in a separate availability zone. Our operational targets are a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 24 hours.

9. Retention and Deletion

We retain your filing records for 7 years from the filing date — 6 years matches the IRC § 6501 statute of limitations for international transactions, plus 1 year of safety margin. After the retention period, identifiable data is securely deleted using cryptographic key destruction; only an anonymized audit log remains. Backups expire under their own 30-day rolling window. We do not retain physical records.

10. Risk Assessment

We maintain a written risk assessment that identifies foreseeable internal and external risks to the confidentiality, integrity, and availability of customer data and the safeguards that address each risk. We update it when the threat landscape, our vendor mix, or our product surface changes materially.

11. What You Can Do

Use a unique password (Clerk enforces strong-password rules) and turn on multi-factor authentication in your Clerk account. Do not share your account credentials with anyone. Be alert for phishing emails that impersonate 3520file — we will never ask for your SSN, password, or full credit-card number via email. If you suspect unauthorized access to your account or receive a suspicious message claiming to be from us, email us immediately at security@3520file.com.

12. Contact

Security questions or to report a suspected incident: security@3520file.com.

Data Security