Security
Security model
Sensitive tax data should travel only when it has to.
tako.tax reduces server-side tax data exposure by doing document parsing, calculation, project saving, and form generation in the browser during normal preparation.
Server-side exposure is intentionally limited
tako.tax servers are designed to serve:
- The web application
- Static assets and WebAssembly bundles
- Operational logs and scrubbed diagnostics
During normal preparation, they are not designed to hold uploaded documents, extracted values, in-progress returns, generated forms, or tax identifiers entered into the app.
No third-party document extraction in normal prep
Uploaded documents are parsed locally in the browser. tako.tax does not send your tax documents to third-party extraction systems during normal preparation.
Your device still matters
Local-first preparation reduces server exposure, but it does not secure your personal device for you. Use a device you control, keep it updated, use a screen lock, and avoid shared or public computers.
Vulnerability reporting
Security reports should be sent to [email protected]. Do not include sensitive personal information in a report. See the full vulnerability disclosure policy.