TaxBook
Security & privacy

Security designed for tax practice

TaxBook is built for attorneys, accountants, and in-house counsel who carry privileged and confidential client work. Every architectural choice we make — especially around AI — is anchored to that responsibility.

Bring your own AI account

Your AI vendor. Your keys. Your governance.

TaxBook does not sit between you and the model. When you ask TaxBook to summarize a case, draft a memo, or answer a research question, the request is sent directly to your Anthropic, OpenAI, Azure OpenAI, or AWS Bedrock account using your API key. That has three real consequences for your practice:

No data pooling

Your prompts and completions never share a queue, a rate limit, or a model with another firm’s data. Nothing of yours trains a shared TaxBook model — because there is no shared TaxBook model.

Your existing agreements apply

The DPA, BAA, or enterprise terms you already signed with your AI vendor govern every inference call TaxBook initiates on your behalf. No new third party enters the chain of custody.

Cost transparency

Model spend bills directly to your AI vendor at their published rates. TaxBook doesn’t mark up tokens or bundle inference into seats you didn’t ask for.

Platform security

Encryption

TLS 1.2+ in transit. AES-256 at rest for the application database, backups, and object storage. Customer secrets (AI API keys, SSO credentials) are encrypted with envelope encryption.

Authentication

Email magic-link and one-time code by default. SSO via Google, Microsoft, and Okta on the Team and Firm tiers. Optional SCIM provisioning for Firm.

Access controls

Workspace-scoped permissions for shared research sessions. Audit log of authentication events, key rotations, and share-token activity available on Firm.

Data residency

U.S. region by default. Firm contracts support dedicated-region deployments and named-region commitments aligned to your AI vendor footprint.

Backups & recovery

Nightly encrypted backups to a separate object store with 30-day retention. Quarterly restore drills with documented RPO and RTO.

Vulnerability management

Dependency scanning on every commit. Annual third-party penetration test on the Firm tier with results available under NDA.

Compliance & trust artifacts

Procurement-grade evidence for your security review. SOC 2 Type II artifacts are gated by NDA through our Trust Center; the DPA is public and prefillable for execution alongside your order form.

TaxBook Trust Center

Live status of certifications, audits, subprocessor changes, and incident history. Request the SOC 2 Type II report and pen-test summary under one-click NDA.

Visit trust.taxbook.ai
SOC 2 Type II Audited annually

SOC 2 Type II report

Independent attestation against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Covers the TaxBook production environment and the controls described on this page. Released under NDA via the Trust Center.

DPA GDPR & CCPA aligned

Data Processing Addendum

TaxBook’s standard DPA, including EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Pre-signed by TaxBook — download, complete Schedule 1 with your firm’s details, and counter-sign for execution.

Looking for ISO 27001, HITRUST, or a custom questionnaire? The Trust Center routes those requests to security@taxbook.ai with a one-business-day SLA.

Named subprocessors

TaxBook engages the following subprocessors to deliver the service. We notify customers at least 30 days before adding or replacing a subprocessor on this list.

Subprocessor Purpose Data category Region
DigitalOcean, LLC Application hosting, managed Postgres, object storage Application data, encrypted backups United States (NYC)
Cloudflare, Inc. CDN, DDoS protection, TLS termination Request metadata, IP addresses Global (US edge)
Resend, Inc. Transactional email delivery (magic links, receipts) Email address, message metadata United States
Stripe, Inc. Subscription billing and payment processing Billing contact, payment instruments United States
Sentry (Functional Software, Inc.) Error monitoring and crash reporting Stack traces, user identifier, request metadata United States
Customer’s chosen AI vendor LLM inference for assistant features (BYO key — not a TaxBook subprocessor) Prompts and completions controlled by customer Per customer’s vendor selection

Your AI vendor is not a TaxBook subprocessor — it is a direct counterparty under your existing agreement. We list it here for completeness so your security review captures the full data path.

Still have questions for our security team?

Most procurement reviewers find everything they need in the Trust Center. For custom questionnaires, architecture deep-dives, or to escalate a redline, email security@taxbook.ai — we reply within one business day.