FinishTax handles Social Security Numbers, tax documents, and signatures. Here is exactly how we protect them — down to the algorithm — so you can answer your clients with confidence.
Security isn't a page we bolted on — it's built into how FinishTax stores, transmits, and grants access to every record. Below is a plain-English account of the protections in place, and what they mean for you and your clients.
Sensitive data is encrypted before it is written to disk and again as it moves across the network.
Social Security Numbers and other sensitive fields are encrypted with authenticated AES-256-GCM before they ever touch the database.
When you link Gmail, Outlook, Google Calendar, or QuickBooks, the OAuth access and refresh tokens are encrypted at rest with the same AES-256-GCM scheme.
All traffic between your browser, our servers, and our providers is protected in transit with TLS (1.2+). Your data is never sent over an unencrypted connection.
Cloud data is stored in US-based infrastructure built on SOC 2-compliant providers, and is accessible only through your authenticated account.
Getting into an account is deliberately hard for everyone but you.
Passwords are never stored in plain text. They are hashed with bcrypt (cost factor 12), so even we cannot read them.
Turn on 2FA using any authenticator app (TOTP). You also get single-use backup codes for the day you lose your phone.
Access tokens are short-lived (15 minutes) and refreshed through an httpOnly, Secure, SameSite cookie that JavaScript can't read — limiting the blast radius if a token ever leaks.
Login and 2FA attempts are rate-limited, and abusive IP addresses can be blocked outright — so guessing attacks fizzle out fast.
Signing Form 8879 electronically has real compliance requirements. FinishTax is built to meet them.
Collect authorizing signatures on Form 8879 (and other documents) electronically, built to satisfy the IRS Pub 1345 remote-signing requirements.
Before a remote signer signs, they complete a government-ID + selfie check at NIST IAL2 through our verification provider, Persona.
We compute a SHA-256 hash of every document at send time and again at signing. If the file changed in between, we flag it — the signature only stands on the document you sent.
Every completed signature produces a certificate with the document details, original and signed hashes, and a full audit trail of the signing events.
On team plans, everyone sees exactly what they should — and every important action is recorded.
Permissions are controlled through 30 distinct permission keys across clients, documents, financials, communication, workflow, and administration — grouped into five ready-made role templates you can customize.
Client access can be scoped so a team member sees all clients, only the clients assigned to them, or none — the same applies to client messages.
A per-client activity timeline records who did what and when, and administrative actions are captured in a separate audit log with actor and timestamp.
All card payments are processed by Stripe through its hosted checkout and billing portal. Full card numbers never touch — and are never stored on — FinishTax servers.
Proven, managed building blocks — not homegrown storage.
Cloud data is stored in US-based infrastructure built on SOC 2-compliant providers. Records are held in an encrypted, SSL-connected PostgreSQL database, and uploaded documents are stored in S3-compatible object storage (Supabase Storage, with Cloudflare R2 support).
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+), and is accessible only through your authenticated account. For the full list of the subprocessors we rely on and the data each one handles, see our Privacy Policy.
As a paid preparer, you have data-security duties under IRS Publication 4557 and the FTC Safeguards Rule. FinishTax gives you concrete tools to help satisfy them.
FinishTax helps you put the IRS Publication 4557 safeguards into practice with encrypted storage of taxpayer data, multi-factor authentication, and access controls for your staff.
FinishTax helps you meet key elements of the FTC Safeguards Rule through encryption of customer information, per-user access limits, and activity logging you can point to during a review.
Export a complete backup of your clients, tasks, invoices, files, and activity as a single JSON file at any time — a portable copy you fully control.
You can permanently delete your account from the app. It removes your stored files and associated records — no lingering copies to worry about.
The questions tax professionals ask us most.
Start free and see the protections for yourself, or dig into the pricing that fits your firm. No credit card required to begin.