Security Policy
Security & Data Protection at Taxwire
At Taxwire, safeguarding your data is a top priority. We take a rigorous, security-first approach to managing infrastructure, credentials, employee access, and customer data across all systems. Below is an overview of our current practices.
Credential & Access Management
Employee Credentials: All employee-accessible credentials are securely stored in encrypted password managers. We use 1-password. Credentials are only accessible on an as needed basis, with the most sensitive credentials only accessible via a high-security vault only accessible to our CTO and CEO.
System Credentials: For credentials used by our systems (e.g., Stripe API keys), we:
Encrypt them using AES-GCM encryption with a 12-byte random IV.
Store them in a private AWS RDS database within a private subnet.
Protect the encryption key using AWS KMS.
Restrict AWS production account access to MFA-secured Google logins available only to our CTO.
MFA Enforcement: All core systems are accessed via Google Workspace with MFA enabled. For services using shared credentials, we enforce 1Password + OTP-based MFA.
Endpoint Security & Personnel Practices
While we have not yet instituted formal MDM (mobile device management) yet, we follow a set of policies and expectations to maintain device-level security:
Unmanaged Device Use: Employees may access company and customer systems from personally managed devices. However, all access is gated through SSO, credential managers, and MFA-secured services.
Security Hygiene - We strongly encourage:
Full-disk encryption
Password-protected devices
Automatic screen lock
OS updates and local antivirus use
Device Loss or Theft: Remote wipe capability is not currently implemented. In the event of device loss, access is immediately revoked and all credentials rotated.
Employee Offboarding - Upon employee termination, we:
Deactivate Google Workspace access
Rotate any shared credentials
Contractually require the return of company-issued devices
Revoke access to all other Taxwire related databases and services
Background Checks: All employees undergo background checks via Checkr (through our PEO, Justworks) before access is granted to production systems or customer data.
Security Training: We conduct IT and security awareness reviews during company-wide all-hands approximately every six months.
Data Storage & Retention
Customer data from integrations is stored only as needed to support accurate tax reporting and filing. This includes:
Invoices and line items
Tax amounts and jurisdictional liabilities
Customer and transaction metadata relevant to filings
The majority of these records are automatically evicted after one year, as we need to retain these items to support amended filings, refunds, and audits. However, certain metadata may be retained indefinitely for compliance tracking, analytics, and audit history, where legally permissible and contractually appropriate so that we can effectively deliver tax related service on behalf of our customers. As a policy, data is only retained indefinitely if it’s absolutely necessary to performing tax related services for our customers.
All data is stored within our private AWS VPC in a private subnet, with access strictly limited to production personnel.
Data Deletion by Customer Requests or Offboarding
When a customer account is terminated (churned) or a deletion request is received, we initiate a secure data deletion process:
All customer-specific, tax-relevant data (e.g. invoices, transactions, tax liabilities, integration metadata) is scheduled for deletion within 30 days of churn or request.
Certain records may be retained for longer periods if required by law (e.g. for audit or statutory tax recordkeeping).
Customers may contact us at support+deletionrequests@taxwire.com to initiate early deletion or confirm removal of their data.
This process ensures we uphold principles of data minimization, security, and privacy, while remaining compliant with regulatory requirements.
Stripe Integration & Data Usage
Our Stripe integration is designed to facilitate tax calculations, nexus tracking, and tax filing automation:
Today, we calculate tax rates and insert them into Stripe invoices and subscriptions to support accurate and real-time calculation of sales tax.
We ingest the following data from Stripe to support tax reporting, nexus tracking, and jurisdiction-level filings:
Invoices and invoice line items
Payment status, amounts, and adjustments
Tax amounts collected and jurisdictional breakdowns
Product metadata and service descriptions
Customer location and billing details
Refunds, discounts, and credit notes
The ingested data is normalized into our internal format for tax liability calculations and jurisdiction-level filing preparation.
As with all integrations, we only store tax-relevant data necessary for compliance and audit purposes. Most data is retained for up to one year. Certain metadata (e.g., filing status, jurisdiction mappings) may be retained indefinitely for internal audit history and filing continuity.
All data is stored in a private subnet within our AWS VPC and protected under the same encryption, access control, and logging standards applied across all Taxwire systems.
Shopify Integration & Data Usage
Our Shopify integration is designed to facilitate tax reporting, nexus tracking, and tax filing automation:
Today, we ingest tax-relevant data from your Shopify store via read-only API access. This includes:
Order data (order amounts, line items, discounts)
Tax collected per order and per jurisdiction
Product SKUs and tax categories
Refunds and returns
Customer shipping and delivery addresses
Store-level location and configuration data
The ingested data is normalized into our internal format for tax liability calculations and jurisdiction-level filing preparation.
As with all integrations, we only store tax-relevant data necessary for compliance and audit purposes. Most data is retained for up to one year. Certain metadata (e.g., filing status, jurisdiction mappings) may be retained indefinitely for internal audit history and filing continuity.
QuickBooks Online Integration & Data Usage
Our QuickBooks Online (QBO) integration is designed to facilitate tax calculations, nexus tracking, and tax filing automation:
Today, we calculate tax rates and apply them to invoices created in QBO, ensuring accurate sales tax treatment across taxable transactions.
We also ingest tax-relevant data from QBO to support downstream tax reporting, nexus monitoring, and jurisdiction-level filings. This includes:
Invoices and invoice line items
Tax amounts collected per jurisdiction
Customer billing addresses and entity details
Product/service metadata and tax codes
Credit memos, refunds, and discounts
The ingested data is normalized into our internal format for tax liability calculations and jurisdiction-level filing preparation.
As with all integrations, we only store tax-relevant data necessary for compliance and audit purposes. Most data is retained for up to one year. Certain metadata (e.g., filing status, jurisdiction mappings) may be retained indefinitely for internal audit history and filing continuity.
All data is stored in a private subnet within our AWS VPC and protected under the same encryption, access control, and logging standards applied across all Taxwire systems.
We’re committed to maintaining the highest security standards possible as we build Taxwire.
If you have any questions or need further details, feel free to contact us at support+deletionrequests@taxwire.com.