Security & Compliance

Your clients' data deserves bank-grade protection

FinishTax handles Social Security Numbers, tax documents, and signatures. Here is exactly how we protect them — down to the algorithm — so you can answer your clients with confidence.

AES-256 encryption SOC 2-compliant infrastructure NIST IAL2 identity checks Payments by Stripe

Security isn't a page we bolted on — it's built into how FinishTax stores, transmits, and grants access to every record. Below is a plain-English account of the protections in place, and what they mean for you and your clients.

Encryption everywhere

Sensitive data is encrypted before it is written to disk and again as it moves across the network.

Encrypted at rest

Social Security Numbers and other sensitive fields are encrypted with authenticated AES-256-GCM before they ever touch the database.

  • Each value uses a unique initialization vector and authentication tag
  • The app refuses to start in production without a valid encryption key

Connected accounts stay encrypted

When you link Gmail, Outlook, Google Calendar, or QuickBooks, the OAuth access and refresh tokens are encrypted at rest with the same AES-256-GCM scheme.

  • Tokens are decrypted only in memory, at the moment of use

Encrypted in transit

All traffic between your browser, our servers, and our providers is protected in transit with TLS (1.2+). Your data is never sent over an unencrypted connection.

SOC 2-compliant foundation

Cloud data is stored in US-based infrastructure built on SOC 2-compliant providers, and is accessible only through your authenticated account.

Account & access security

Getting into an account is deliberately hard for everyone but you.

Hashed passwords

Passwords are never stored in plain text. They are hashed with bcrypt (cost factor 12), so even we cannot read them.

Two-factor authentication

Turn on 2FA using any authenticator app (TOTP). You also get single-use backup codes for the day you lose your phone.

  • Ten one-time backup codes, stored only as hashes

Short-lived sessions

Access tokens are short-lived (15 minutes) and refreshed through an httpOnly, Secure, SameSite cookie that JavaScript can't read — limiting the blast radius if a token ever leaks.

Brute-force protection

Login and 2FA attempts are rate-limited, and abusive IP addresses can be blocked outright — so guessing attacks fizzle out fast.

E-signature & identity, done to IRS standards

Signing Form 8879 electronically has real compliance requirements. FinishTax is built to meet them.

IRS Form 8879 e-signing

Collect authorizing signatures on Form 8879 (and other documents) electronically, built to satisfy the IRS Pub 1345 remote-signing requirements.

NIST IAL2 identity verification

Before a remote signer signs, they complete a government-ID + selfie check at NIST IAL2 through our verification provider, Persona.

  • Each verification is bound to its signing session to prevent reuse

Tamper-evident documents

We compute a SHA-256 hash of every document at send time and again at signing. If the file changed in between, we flag it — the signature only stands on the document you sent.

Completion certificates

Every completed signature produces a certificate with the document details, original and signed hashes, and a full audit trail of the signing events.

Team permissions & auditability

On team plans, everyone sees exactly what they should — and every important action is recorded.

Granular role-based access

Permissions are controlled through 30 distinct permission keys across clients, documents, financials, communication, workflow, and administration — grouped into five ready-made role templates you can customize.

  • Roles like Preparer, Bookkeeper, Admin Assistant, and View Only

Scoped client visibility

Client access can be scoped so a team member sees all clients, only the clients assigned to them, or none — the same applies to client messages.

Activity & audit logs

A per-client activity timeline records who did what and when, and administrative actions are captured in a separate audit log with actor and timestamp.

Payments handled by Stripe

All card payments are processed by Stripe through its hosted checkout and billing portal. Full card numbers never touch — and are never stored on — FinishTax servers.

Infrastructure

Proven, managed building blocks — not homegrown storage.

Where your data lives

Cloud data is stored in US-based infrastructure built on SOC 2-compliant providers. Records are held in an encrypted, SSL-connected PostgreSQL database, and uploaded documents are stored in S3-compatible object storage (Supabase Storage, with Cloudflare R2 support).

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+), and is accessible only through your authenticated account. For the full list of the subprocessors we rely on and the data each one handles, see our Privacy Policy.

Helping you meet your own obligations

As a paid preparer, you have data-security duties under IRS Publication 4557 and the FTC Safeguards Rule. FinishTax gives you concrete tools to help satisfy them.

IRS Pub 4557 safeguards

FinishTax helps you put the IRS Publication 4557 safeguards into practice with encrypted storage of taxpayer data, multi-factor authentication, and access controls for your staff.

FTC Safeguards Rule

FinishTax helps you meet key elements of the FTC Safeguards Rule through encryption of customer information, per-user access limits, and activity logging you can point to during a review.

Your data stays yours

Export a complete backup of your clients, tasks, invoices, files, and activity as a single JSON file at any time — a portable copy you fully control.

Delete your account

You can permanently delete your account from the app. It removes your stored files and associated records — no lingering copies to worry about.

An honest note on certifications. FinishTax runs on SOC 2-compliant infrastructure and is built to support the standards above, but using FinishTax does not by itself make your firm compliant — your written information security plan (WISP) and day-to-day practices matter too. We give you the technical building blocks; you own how they're used.

Security FAQ

The questions tax professionals ask us most.

FinishTax runs on SOC 2-compliant infrastructure — the managed cloud providers we build on maintain SOC 2 controls. We describe our platform's foundation as SOC 2-compliant infrastructure rather than claiming a certification of the FinishTax application itself.
SSNs and other sensitive fields are encrypted with authenticated AES-256-GCM before they are written to the database, each with a unique initialization vector and authentication tag. They are decrypted only in memory when needed, and in production the app will not start without a valid encryption key configured.
Yes. You can enable 2FA with any authenticator app that supports TOTP (such as Google Authenticator or Authy), and you receive ten single-use backup codes for account recovery. Backup codes are stored only as hashes.
FinishTax supports electronic signing of IRS Form 8879 built to satisfy the IRS Pub 1345 remote-signing requirements, including NIST IAL2 identity verification (government ID + selfie) through Persona, tamper-evident SHA-256 document hashing, and a completion certificate with a full audit trail.
No. All card payments are handled by Stripe through its hosted checkout and billing portal. Full card numbers never touch — and are never stored on — FinishTax servers.
Yes. On team plans, access is governed by 30 permission keys and five customizable role templates, and client visibility can be scoped to all clients, only assigned clients, or none. Administrative and per-client activity is recorded in audit and activity logs.
Yes to both. You can export a full JSON backup of your clients, tasks, invoices, files, and activity at any time, and you can permanently delete your account from within the app, which removes your stored files and associated records. See our Privacy Policy for details on retention.

Security you can put in writing

Start free and see the protections for yourself, or dig into the pricing that fits your firm. No credit card required to begin.