Trust Center
Tax documents are some of the most sensitive data you own. Here’s how we look after them.
SendTax holds W-2s, IDs, K-1s, and the other documents you share with your preparer. This page is the single source of truth for our security program — the policies that govern it, the vendors that touch it, and how to reach us if something looks wrong.
The short version
We don't read your documents.
Nobody at SendTax can open the files you upload without two things: your explicit permission, and a documented reason — like resolving an issue you've asked us to fix.
Every access is logged, attributed to a named person, and auditable. The default state is private. That doesn't change without you.
Where we are on compliance
SendTax is a new company. Rather than wave compliance badges we haven’t earned, here is exactly where each framework stands today — and where we’re heading.
IRS Pub. 4557 / FTC Safeguards Rule
AlignedOur WISP implements the safeguards required of professional tax preparers — administrative, technical, and physical controls written down and reviewed annually.
SOC 2 Type II
In progressFirst report target: 2027
We are building the control evidence catalogue that maps to the AICPA Trust Services Criteria. Audit firm to be selected after our first full operating year.
Annual third-party penetration test
PlannedFirst test: Q4 2026
External application + infrastructure pentest, scheduled annually and after material architecture changes. Findings tracked to closure with severity-based SLAs.
CCPA / CPRA (California)
AlignedCalifornia residents have rights under the CCPA/CPRA to access, correct, delete, and limit use of their personal information. Our Privacy Policy and Data Retention & Deletion Policy describe how to exercise them; requests go to [email protected].
GDPR / UK GDPR
N/ASendTax operates only in the United States. We do not knowingly serve EU/UK data subjects; if that changes, we will update this page first.
At a glance
The defaults that ship with every SendTax account.
- Data residency
- United States only
- All processing and storage runs in U.S. regions.
- Encryption in transit
- TLS 1.3
- Strict HSTS; modern cipher suites only.
- Encryption at rest
- AES-256-GCM
- Per-document envelope encryption; KEKs in Google Cloud KMS.
- Identity
- Clerk + MFA
- Phishing-resistant MFA for operators; environment-segmented.
- Access
- Row-Level Security
- Filer-owned data; access enforced in PostgreSQL, not just app code.
- Logging
- Audit trail by default
- Authentication, access, and document events kept for ≥1 year.
Policies & documents
Every policy that governs SendTax. Read them on this site, or download the PDF for your own records.
Security
How we protect customer data — controls, access, encryption, and response.
Information Security
The technical and operational controls SendTax uses to protect tax and identity information.
Access Control Policy
How access to SendTax systems and customer data is granted, reviewed, and revoked.
Encryption Policy
Cryptographic standards, algorithms, and key-management practices.
Incident Response Policy
How SendTax detects, contains, communicates about, and learns from security incidents.
Operations
How we run the service reliably and manage change.
Business Continuity & Disaster Recovery
How we keep the service available during disruption — and how we recover when something breaks.
Change Management Policy
How changes to code, infrastructure, and procedures are proposed, reviewed, and deployed.
Vendor Management Policy
How third-party vendors and sub-processors are selected, monitored, and removed.
Data handling
What we collect, how long we keep it, and how vendors are governed.
Data Retention & Deletion Policy
How long SendTax retains customer data, what triggers deletion, and how to exercise access and erasure rights.
Written Information Security Program (WISP)
The administrative, technical, and physical safeguards SendTax maintains under IRS Pub. 4557 / FTC Safeguards Rule.
Sub-processors
The third-party services that may process customer personal data on SendTax’s behalf.
Acceptable use
How the platform is meant to be used.
Who else touches your data
The third parties that process customer data on SendTax’s behalf. All Tier 1 sub-processors are U.S.-based.
Fly.io
Application hosting + managed Postgres/Redis

Cloudflare R2
Document storage (envelope-encrypted)

Google Cloud KMS
Key custody for envelope encryption

Clerk
Authentication + identity
Stripe Identity
KYC verification (government ID + selfie) — 90-day retention
Resend
Transactional + inbound email
Sentry
Error monitoring (scrubbed)
PostHog
Product analytics — no PII, no session recording

Modal
Cloud ML inference for document classification
Reach the security team
We respond to security concerns from anyone — customers, researchers, regulators. If you’ve found something that looks wrong, we want to hear about it.
Please do not include sensitive customer data (full SSN, document images) in the initial email; we’ll provide a secure channel after we acknowledge.
Security disclosures
[email protected]Vulnerabilities, suspected incidents, anything you’d rather not say in public.
Privacy & sub-processor questions
[email protected]Data subject requests, sub-processor objections, contract questions.
Everything else
[email protected]General inquiries — we’ll route from there.