Trust Center

Tax documents are some of the most sensitive data you own. Here’s how we look after them.

SendTax holds W-2s, IDs, K-1s, and the other documents you share with your preparer. This page is the single source of truth for our security program — the policies that govern it, the vendors that touch it, and how to reach us if something looks wrong.

The short version

We don't read your documents.

Nobody at SendTax can open the files you upload without two things: your explicit permission, and a documented reason — like resolving an issue you've asked us to fix.

Every access is logged, attributed to a named person, and auditable. The default state is private. That doesn't change without you.

Where we are on compliance

SendTax is a new company. Rather than wave compliance badges we haven’t earned, here is exactly where each framework stands today — and where we’re heading.

  • IRS Pub. 4557 / FTC Safeguards Rule

    Aligned

    Our WISP implements the safeguards required of professional tax preparers — administrative, technical, and physical controls written down and reviewed annually.

  • SOC 2 Type II

    In progress

    First report target: 2027

    We are building the control evidence catalogue that maps to the AICPA Trust Services Criteria. Audit firm to be selected after our first full operating year.

  • Annual third-party penetration test

    Planned

    First test: Q4 2026

    External application + infrastructure pentest, scheduled annually and after material architecture changes. Findings tracked to closure with severity-based SLAs.

  • CCPA / CPRA (California)

    Aligned

    California residents have rights under the CCPA/CPRA to access, correct, delete, and limit use of their personal information. Our Privacy Policy and Data Retention & Deletion Policy describe how to exercise them; requests go to [email protected].

  • GDPR / UK GDPR

    N/A

    SendTax operates only in the United States. We do not knowingly serve EU/UK data subjects; if that changes, we will update this page first.

At a glance

The defaults that ship with every SendTax account.

Data residency
United States only
All processing and storage runs in U.S. regions.
Encryption in transit
TLS 1.3
Strict HSTS; modern cipher suites only.
Encryption at rest
AES-256-GCM
Per-document envelope encryption; KEKs in Google Cloud KMS.
Identity
Clerk + MFA
Phishing-resistant MFA for operators; environment-segmented.
Access
Row-Level Security
Filer-owned data; access enforced in PostgreSQL, not just app code.
Logging
Audit trail by default
Authentication, access, and document events kept for ≥1 year.

Policies & documents

Every policy that governs SendTax. Read them on this site, or download the PDF for your own records.

Security

How we protect customer data — controls, access, encryption, and response.

Operations

How we run the service reliably and manage change.

Data handling

What we collect, how long we keep it, and how vendors are governed.

Acceptable use

How the platform is meant to be used.

Who else touches your data

The third parties that process customer data on SendTax’s behalf. All Tier 1 sub-processors are U.S.-based.

View the full list
  • Fly.io

    Application hosting + managed Postgres/Redis

  • Cloudflare R2

    Document storage (envelope-encrypted)

  • Google Cloud KMS

    Key custody for envelope encryption

  • Clerk

    Authentication + identity

  • Stripe Identity

    KYC verification (government ID + selfie) — 90-day retention

  • Resend

    Transactional + inbound email

  • Sentry

    Error monitoring (scrubbed)

  • PostHog

    Product analytics — no PII, no session recording

  • Modal

    Cloud ML inference for document classification

Reach the security team

We respond to security concerns from anyone — customers, researchers, regulators. If you’ve found something that looks wrong, we want to hear about it.

Please do not include sensitive customer data (full SSN, document images) in the initial email; we’ll provide a secure channel after we acknowledge.

  • Security disclosures

    [email protected]

    Vulnerabilities, suspected incidents, anything you’d rather not say in public.

  • Privacy & sub-processor questions

    [email protected]

    Data subject requests, sub-processor objections, contract questions.

  • Everything else

    [email protected]

    General inquiries — we’ll route from there.