Security & Compliance
Tax data demands the highest security standards. TaxSort AI is built with SOC2-ready practices from day one.
AES-256-GCM Encryption
TIN and SSN fields are encrypted at the application level using AES-256-GCM before database storage. Never stored in plain text.
Signed Document URLs
Uploaded tax documents are stored with time-limited signed URLs. Access expires automatically — no permanent public links.
Role-Based Access Control
USER and ADMIN roles with middleware guards. Dashboard requires authentication, admin routes require ADMIN role.
Audit Logging
Every data access, classification, and export is logged with user ID, timestamp, and action details. Full audit trail for compliance.
GDPR Data Deletion
Complete data deletion endpoint removes all user, client, document, and classification data. Right to erasure fully supported.
7 Security Headers
HSTS with preload, CSP, X-Frame-Options DENY, X-Content-Type-Options, XSS Protection, Referrer-Policy, Permissions-Policy.
Input Validation
Zod schema validation on every API input. Zero-trust approach — all data is validated server-side before processing.
Webhook HMAC Verification
Stripe webhooks verified with HMAC signature + timestamp age check (300s max) + event deduplication.
Data Handling Principles
- ●TIN/SSN never stored in plain text, never logged, never sent to client-side JavaScript
- ●File uploads restricted to PDF, PNG, JPG — max 15MB with type validation
- ●JWT sessions with 1-hour expiry and secure HttpOnly cookies
- ●All database queries parameterized via Prisma — SQL injection impossible
- ●Environment variables server-only — never exposed to the browser
- ●Rate limiting per user per endpoint based on subscription plan