TaxClipSecurity at TaxClip
Last updated: March 4, 2026
Your Data Security is Our Priority
At TaxClip, we understand that you're trusting us with sensitive financial information. We take this responsibility seriously and implement industry-leading security measures to protect your data.
1. Encryption
All data is encrypted both in transit and at rest:
- In Transit: All communications between your browser and our servers are encrypted using TLS 1.3 (Transport Layer Security).
- At Rest: Your receipt images and extracted data are encrypted using AES-256 encryption in our database and storage systems.
- Passwords: User passwords are hashed using bcrypt with salt, ensuring they cannot be reversed or decrypted.
2. AI & Receipt Security
Your receipt data is handled with the highest level of security during AI processing:
- Encrypted Transmission: Receipt images are transmitted to AI services using TLS 1.3 encryption.
- Encrypted Storage: All receipt images are stored using AES-256 encryption at rest.
- No AI Training: Receipt images are NOT used for AI model training.
- US-Based Processing: AI processing occurs on US-based servers.
- Real-Time Processing: AI providers process receipt data in real-time and do not retain it after processing.
Your receipt data is only used to provide the Service and is never shared with third parties for advertising or marketing purposes.
3. Infrastructure Security
We use trusted, enterprise-grade infrastructure providers:
| Component | Provider | Security Standard |
|---|---|---|
| Database | Supabase (AWS) | SOC 2 Type II |
| Hosting | Vercel | SOC 2 Type II |
| Billing | Lemon Squeezy | PCI DSS compliant |
| Auth | Supabase Auth | OAuth 2.0 |
| AI Processing | OpenAI | SOC 2 Type II |
- Cloud Hosting: Our application is hosted on Vercel with automatic DDoS protection and global CDN.
- Database: We use Supabase (built on AWS) with automated backups, point-in-time recovery, and row-level security.
- File Storage: Receipt images are stored in isolated, encrypted storage buckets with strict access controls.
4. Authentication & Access Control
- Secure Authentication: We support email/password, Google OAuth, and GitHub OAuth for secure sign-in.
- Session Management: Sessions are securely managed with automatic expiration and secure cookie handling.
- Row-Level Security: Database policies ensure users can only access their own data — no exceptions.
- API Security: All API endpoints are authenticated and rate-limited to prevent abuse.
5. What We Never Do
X
We never sell your personal data or receipt information to third parties
X
We never use your receipt data for AI model training
X
We never access your tax data without your permission
X
We never store credit card numbers on our servers
X
We never send your data to the IRS directly
6. Data Privacy
- Data Isolation: Each user's data is logically separated and inaccessible to other users.
- No Data Selling: We never sell your personal information or receipt data to third parties.
- Minimal Access: Only essential personnel have access to production systems, and all access is logged.
7. Backup & Recovery
- Automated Backups: Your data is automatically backed up daily with point-in-time recovery capability.
- Geographic Redundancy: Backups are stored in multiple geographic locations to ensure data durability.
- Disaster Recovery: We have documented procedures to restore service quickly in case of any incident.
8. Payment Security
- PCI Compliance: All payment processing is handled by Lemon Squeezy, which is PCI DSS compliant.
- No Card Storage: We never store your full credit card numbers on our servers.
- Secure Checkout: All payment pages are served over HTTPS with additional fraud prevention measures.
9. Security Monitoring
- 24/7 Monitoring: Our infrastructure is continuously monitored for security threats and anomalies.
- Logging: All system access and API calls are logged and retained for security analysis.
- Incident Response: We have established procedures to respond to and communicate about any security incidents.
10. Your Security Responsibilities
To help keep your account secure, we recommend:
- Use a strong, unique password for your TaxClip account
- Don't share your login credentials with others
- Log out when using shared or public computers
- Keep your browser and devices updated with the latest security patches
- Report any suspicious activity to us immediately
11. Vulnerability Disclosure
If you discover a security vulnerability, we encourage responsible disclosure. To report a security issue:
Email: support@taxclip.co
Subject Line: [SECURITY] Brief description of the issue
- We will acknowledge your report within 48 hours
- We will provide a detailed response within 7 business days
- We will not take legal action against good-faith security researchers
12. Data Breach Notification Policy
In the event of a data breach:
- Affected users will be notified within 72 hours of discovering the breach (CCPA requirement)
- Notification will include details about what data was affected and steps being taken
- We will provide guidance on actions you can take to protect yourself
- Relevant regulatory authorities will be notified as required by law
13. Questions?
If you have any questions about our security practices, please don't hesitate to reach out:
Email: support@taxclip.co
Website: https://taxclip.co