Security

Security model

Sensitive tax data should travel only when it has to.

TakoTax reduces server-side tax data exposure by doing document parsing, calculation, project saving, and form generation in the browser during normal preparation.

Server-side exposure is intentionally limited

TakoTax servers are designed to serve:

  • The web application
  • Static assets and WebAssembly bundles
  • Operational logs and scrubbed diagnostics

During normal preparation, they are not designed to hold uploaded documents, extracted values, in-progress returns, generated forms, or tax identifiers entered into the app.

No third-party document extraction in normal prep

Uploaded documents are parsed locally in the browser. TakoTax does not send your tax documents to third-party extraction systems during normal preparation.

Your device still matters

Local-first preparation reduces server exposure, but it does not secure your personal device for you. Use a device you control, keep it updated, use a screen lock, and avoid shared or public computers.

Written Information Security Plan

TakoTax maintains a Written Information Security Plan (WISP) aligned with IRS Publication 4557 (Safeguarding Taxpayer Data) and the Federal Trade Commission Safeguards Rule. The plan covers data inventory and classification, access control, multi-factor authentication on administrative systems, encryption in transit and at rest where server-side storage is used, logging rules that avoid recording tax return contents, vendor security review, employee and contractor training, retention and disposal, and incident response. The plan is reviewed at least annually and after any material change to systems handling taxpayer data.

Safeguards that apply when e-file is enabled

If built-in e-file is enabled later, additional safeguards apply to server-side records that the IRS requires online providers to retain:

  • Encryption of transmitted returns end-to-end to the IRS Modernized e-File system using IRS-approved transport security
  • Encryption at rest for stored e-file records (the signed authorization, the transmitted return, and the IRS acknowledgement)
  • Strict access control and MFA on personnel access to taxpayer data systems
  • Independent storage of IRS credentials (EFIN/ETIN, signing certificates, A2A credentials) with key-rotation and key-storage requirements
  • Logging and monitoring designed to avoid recording return contents while still supporting incident detection
  • Mandatory vendor security review for any service provider that touches taxpayer data, including transmission, identity verification (if used), and payment processing

Incident response

TakoTax maintains an incident response plan covering severity classification, internal roles, evidence preservation, containment and eradication, recovery, and post-incident review. The plan defines the IRS and state reporting paths for suspected taxpayer-data exposure, including IRS Stakeholder Liaison contact and applicable state notification requirements. TakoTax will notify affected users without unreasonable delay when required by law.

Vulnerability reporting

Security reports should be sent to [email protected]. Do not include sensitive personal information in a report. See the full vulnerability disclosure policy.