Security at prep.tax
Your tax data is some of the most sensitive information you have. Here’s how we protect it.
TLS 1.2+ in transit
Every connection between your device and prep.tax uses modern TLS. No mixed content, ever.
AES-256 at rest
Databases and uploaded documents are encrypted at rest with AES-256 by our cloud provider.
Row-level access control
Database policies make sure your data is only ever readable by your own account.
Two-factor authentication
Optional TOTP-based MFA, and required before linking a bank account via Plaid.
Read-only bank links
Bank connections via Plaid are read-only. prep.tax can never move money on your behalf.
Card data we never see
Payments are processed by Stripe. We only ever store the last 4 digits and the subscription status.
Secrets vaulting
Production secrets (API keys, webhook signing keys) are kept in a managed secrets vault, not in code.
Continuous scanning
Every change is scanned for dependency vulnerabilities, leaked keys, and common misconfigurations.
What you can do
- Turn on two-factor authentication in Settings.
- Use a unique, strong password — ideally from a password manager.
- Review your connected bank accounts and integrations regularly.
- Sign out of shared devices.
Reporting a vulnerability
If you believe you’ve found a security issue, please email security@prep.tax with steps to reproduce. We’ll acknowledge within 2 business days. Please do not publicly disclose the issue until we’ve had a reasonable chance to fix it. We won’t pursue legal action for good-faith research that respects user privacy and avoids service disruption.