Security at TaxClip

All data is encrypted both in transit and at rest:

• In Transit: All communications between your browser and our servers are encrypted using TLS 1.3 (Transport Layer Security).
• At Rest: Your receipt images and extracted data are encrypted using AES-256 encryption in our database and storage systems.
• Passwords: User passwords are hashed using bcrypt with salt, ensuring they cannot be reversed or decrypted.

We use trusted, enterprise-grade infrastructure providers:

• Cloud Hosting: Our application is hosted on Vercel with automatic DDoS protection and global CDN.
• Database: We use Supabase (built on AWS) with automated backups, point-in-time recovery, and row-level security.
• File Storage: Receipt images are stored in isolated, encrypted storage buckets with strict access controls.

• Secure Authentication: We support email/password and Google OAuth for secure sign-in.
• Session Management: Sessions are securely managed with automatic expiration and secure cookie handling.
• Row-Level Security: Database policies ensure users can only access their own data—no exceptions.
• API Security: All API endpoints are authenticated and rate-limited to prevent abuse.

• Data Isolation: Each user's data is logically separated and inaccessible to other users.
• No Data Selling: We never sell your personal information or receipt data to third parties.
• Minimal Access: Only essential personnel have access to production systems, and all access is logged.
• AI Processing: Receipt data sent to AI services for OCR is processed in real-time and not stored by third-party providers.

• Automated Backups: Your data is automatically backed up daily with point-in-time recovery capability.
• Geographic Redundancy: Backups are stored in multiple geographic locations to ensure data durability.
• Disaster Recovery: We have documented procedures to restore service quickly in case of any incident.

• 24/7 Monitoring: Our infrastructure is continuously monitored for security threats and anomalies.
• Logging: All system access and API calls are logged and retained for security analysis.
• Incident Response: We have established procedures to respond to and communicate about any security incidents.

• PCI Compliance: All payment processing is handled by PCI-DSS compliant providers (Lemon Squeezy, Stripe).
• No Card Storage: We never store your full credit card numbers on our servers.
• Secure Checkout: All payment pages are served over HTTPS with additional fraud prevention measures.

8. Your Security Responsibilities

To help keep your account secure, we recommend:

• Use a strong, unique password for your TaxClip account
• Don't share your login credentials with others
• Log out when using shared or public computers
• Keep your browser and devices updated with the latest security patches
• Report any suspicious activity to us immediately

9. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of TaxClip, please contact us immediately:

10. Questions?

If you have any questions about our security practices, please don't hesitate to reach out: