Security Policy

Last Updated: July 28, 2025

Security & Data Protection at Taxwire

At Taxwire, safeguarding your data is a top priority. We take a rigorous, security-first approach to managing infrastructure, credentials, employee access, and customer data across all systems. Below is an overview of our current practices.

Credential & Access Management

Employee Credentials: All employee-accessible credentials are securely stored in encrypted password managers. We use 1-password. Credentials are only accessible on an as needed basis, with the most sensitive credentials only accessible via a high-security vault only accessible to our CTO and CEO.

System Credentials: For credentials used by our systems (e.g., Stripe API keys), we:

  • Encrypt them using AES-GCM encryption with a 12-byte random IV.
  • Store them in a private AWS RDS database within a private subnet.
  • Protect the encryption key using AWS KMS.
  • Restrict AWS production account access to MFA-secured Google logins available only to our CTO.

MFA Enforcement: All core systems are accessed via Google Workspace with MFA enabled. For services using shared credentials, we enforce 1Password + OTP-based MFA.

Endpoint Security & Personnel Practices

While we have not yet instituted formal MDM (mobile device management) yet, we follow a set of policies and expectations to maintain device-level security:

Unmanaged Device Use: Employees may access company and customer systems from personally managed devices. However, all access is gated through SSO, credential managers, and MFA-secured services.

Security Hygiene - We strongly encourage:

  • Full-disk encryption
  • Password-protected devices
  • Automatic screen lock
  • OS updates and local antivirus use

Device Loss or Theft: Remote wipe capability is not currently implemented. In the event of device loss, access is immediately revoked and all credentials rotated.

Employee Offboarding - Upon employee termination, we:

  • Deactivate Google Workspace access
  • Rotate any shared credentials
  • Contractually require the return of company-issued devices
  • Revoke access to all other Taxwire related databases and services

Background Checks: All employees undergo background checks via Checkr (through our PEO, Justworks) before access is granted to production systems or customer data.

Security Training: We conduct IT and security awareness reviews during company-wide all-hands approximately every six months.

Data Storage & Retention

Customer data from integrations is stored only as needed to support accurate tax reporting and filing. This includes:

  • Invoices and line items
  • Tax amounts and jurisdictional liabilities
  • Customer and transaction metadata relevant to filings

The majority of these records are automatically evicted after one year, as we need to retain these items to support amended filings, refunds, and audits. However, certain metadata may be retained indefinitely for compliance tracking, analytics, and audit history, where legally permissible and contractually appropriate so that we can effectively deliver tax related service on behalf of our customers. As a policy, data is only retained indefinitely if it’s absolutely necessary to performing tax related services for our customers.

All data is stored within our private AWS VPC in a private subnet, with access strictly limited to production personnel.

Data Deletion by Customer Requests or Offboarding

When a customer account is terminated (churned) or a deletion request is received, we initiate a secure data deletion process:

  • All customer-specific, tax-relevant data (e.g. invoices, transactions, tax liabilities, integration metadata) is scheduled for deletion within 30 days of churn or request.
  • Certain records may be retained for longer periods if required by law (e.g. for audit or statutory tax recordkeeping).
  • Customers may contact us at support+deletionrequests@taxwire.com to initiate early deletion or confirm removal of their data.

This process ensures we uphold principles of data minimization, security, and privacy, while remaining compliant with regulatory requirements.

Stripe Integration & Data Usage

Our Stripe integration is designed to facilitate tax calculations, nexus tracking, and tax filing automation:

  • Today, we calculate tax rates and insert them into Stripe invoices and subscriptions to support accurate and real-time calculation of sales tax.
  • We ingest the following data from Stripe to support tax reporting, nexus tracking, and jurisdiction-level filings:
    • Invoices and invoice line items
    • Payment status, amounts, and adjustments
    • Tax amounts collected and jurisdictional breakdowns
    • Product metadata and service descriptions
    • Customer location and billing details
    • Refunds, discounts, and credit notes
  • The ingested data is normalized into our internal format for tax liability calculations and jurisdiction-level filing preparation.
  • As with all integrations, we only store tax-relevant data necessary for compliance and audit purposes. Most data is retained for up to one year. Certain metadata (e.g., filing status, jurisdiction mappings) may be retained indefinitely for internal audit history and filing continuity.
  • All data is stored in a private subnet within our AWS VPC and protected under the same encryption, access control, and logging standards applied across all Taxwire systems.

Shopify Integration & Data Usage

Our Shopify integration is designed to facilitate tax reporting, nexus tracking, and tax filing automation:

  • Today, we ingest tax-relevant data from your Shopify store via read-only API access. This includes:
    • Order data (order amounts, line items, discounts)
    • Tax collected per order and per jurisdiction
    • Product SKUs and tax categories
    • Refunds and returns
    • Customer shipping and delivery addresses
    • Store-level location and configuration data
  • The ingested data is normalized into our internal format for tax liability calculations and jurisdiction-level filing preparation.
  • As with all integrations, we only store tax-relevant data necessary for compliance and audit purposes. Most data is retained for up to one year. Certain metadata (e.g., filing status, jurisdiction mappings) may be retained indefinitely for internal audit history and filing continuity.

QuickBooks Online Integration & Data Usage

Our QuickBooks Online (QBO) integration is designed to facilitate tax calculations, nexus tracking, and tax filing automation:

  • Today, we calculate tax rates and apply them to invoices created in QBO, ensuring accurate sales tax treatment across taxable transactions.
  • We also ingest tax-relevant data from QBO to support downstream tax reporting, nexus monitoring, and jurisdiction-level filings. This includes:
    • Invoices and invoice line items
    • Tax amounts collected per jurisdiction
    • Customer billing addresses and entity details
    • Product/service metadata and tax codes
    • Credit memos, refunds, and discounts
  • The ingested data is normalized into our internal format for tax liability calculations and jurisdiction-level filing preparation.
  • As with all integrations, we only store tax-relevant data necessary for compliance and audit purposes. Most data is retained for up to one year. Certain metadata (e.g., filing status, jurisdiction mappings) may be retained indefinitely for internal audit history and filing continuity.
  • All data is stored in a private subnet within our AWS VPC and protected under the same encryption, access control, and logging standards applied across all Taxwire systems.

We’re committed to maintaining the highest security standards possible as we build Taxwire.

If you have any questions or need further details, feel free to contact us at support+deletionrequests@taxwire.com.