SECURITY

In tax and accounting, data security is table stakes.

Neo.Tax is obsessed with safeguarding your data in accordance with the industry’s highest standards of security and privacy.

Read our Security Whitepaper Visit Trust Center
AICPA SOC 2 badge

SOC 2 Type II

Annually audited by an independent firm covering security, availability, and confidentiality.

ISO 27001 certified badge

ISO/IEC 27001:2022

Information-security management system certified to the international standard.

GDPR compliant badge

GDPR

Compliant with EU data-protection regulations; DPA available for customers and partners.

DATA STORAGE & HANDLING

Customer data, isolated and encrypted end to end.

Isometric illustration of secure data infrastructure as stacked building blocks
  • Customer data is stored in a PostgreSQL database hosted in Neon; additional data is stored in Google Cloud Storage.
  • Each customer instance is tied to a unique database identifier for logical data separation and to ensure no commingling of data.
  • In our Neon environments, data resides in the AWS US West 2 (Oregon) region with 99.999%+ durability and 30-day point-in-time-restore support.
  • In GCP, data is replicated across multiple U.S. regions for redundancy and disaster recovery.
  • All data is encrypted in transit using TLS v1.3 with modern cipher suites (AES-256, SHA2). At rest, data is encrypted with AES-256, with backups encrypted via KMS-managed keys and access restricted through GCP IAM policies.
  • Routine backups are regularly tested to confirm restoration reliability. RTO is 48 hours; RPO is zero for the most recent 30 days (point-in-time recovery to any moment in that window).
  • Customers may request a dedicated tenant — a separate Google Cloud project and Neon project provisioned for that customer alone.
APPLICATION & ENDPOINT SECURITY

Secure by default, audited by independents.

  • Neo.Tax adheres to OWASP Secure Coding Guidelines and follows a secure development lifecycle: peer-reviewed code changes, static application security testing (SAST), dynamic application security testing (DAST), and automated regression testing.
  • Annual third-party penetration tests across application and network layers, performed by an independent CREST-certified security firm.
  • Continuous vulnerability scanning and timely patch management; critical updates applied within 48 hours.
  • Deployments protected via a Web Application Firewall (WAF) with IP whitelisting.
  • Employee workstations are protected by enterprise-grade antivirus with auto-updates and scheduled scans enforced.
  • Remote access is gated by VPN, application-layer proxy, and IP whitelisting.
AUTHENTICATION & ACCESS

Role-based, MFA-enforced, session-bounded.

  • Internal access to systems and data is restricted by RBAC, IP whitelisting, and MFA — all access encrypted end-to-end and monitored.
  • Permissions are granted by least-privilege; access is revoked within 72 hours of role changes or termination. Quarterly access reviews are conducted and logs retained for at least one year.
  • Customers sign in via email/password, magic link, or SSO. SAML 2.0 and OIDC supported with Identity Providers including Okta, OneLogin, Microsoft Entra, and Ping Identity.
  • Passwords meet complexity requirements and are securely hashed; sessions are encrypted via TLS v1.3 and idle-logout after 20 minutes.
  • User scopes: ADMIN, MEMBER, or NON-FINANCIAL MEMBER (cannot view financial data such as payroll or accounting transactions).
  • Account-level PII redaction — review financial information without identifying individuals.
AI & AUTOMATION SAFETY

Privacy and auditability at the core of the model.

  • Customer-specific data is strictly anonymized and masked before any AI training or fine-tuning takes place.
  • Use of customer data for training is optional — clients may opt out entirely with a configuration setting.
  • Models operate on metadata (ticket statuses, timestamps, hierarchies, assignees) and ticket names/descriptions.
  • Neo.Tax does not access sensitive content such as source code, birth dates, social-security numbers, or employee addresses.
  • Audit-ready, transparent AI: trains on labeled compliance-domain datasets, applies IRS-defined tests to classify engineering work, and generates literal narratives that are traceable, replicable, and reviewable by tax professionals.
  • By design, no black-box outputs — every decision includes a reasoning trace, supporting internal oversight and audit confidence.
VENDOR & THIRD-PARTY RISK

Critical vendors meet our standards or don't onboard.

  • Vendors evaluated prior to onboarding against security, privacy, and compliance criteria.
  • Documented list of approved third parties maintained and reviewed.
  • Contractual obligations require breach reporting and protect against unauthorized disclosures.
  • Ongoing monitoring and annual reassessments of vendor agreements and compliance reports.
Shield with compliance dashboards representing audit-ready third-party reviews
DEDICATED CLOUD

Single-tenant VPC for enterprises with heightened requirements.

Each environment is instantiated as a single-tenant Virtual Private Cloud — complete segregation of data, compute, and services. No infrastructure shared across tenants. Fully isolated at the network, application, and storage layers.

Single-tenant secure server with lock icon in a private cloud environment

Isolated infrastructure

All Neo.Tax services — application, databases, storage — run in a dedicated environment instantiated per customer. No shared resources.

Custom security extensions

Approved security representatives can install network controls — custom firewall rules, IDS, outbound egress filtering — against the underlying cloud resources.

Customer-controlled encryption

Support for customer-managed encryption keys (CMKs), including BYOK and other cloud-native KMS. Available upon request.

Advanced auditability

Full visibility into system-level activity via isolated logging, with optional export to your SIEM. Available upon request.

Private connectivity

Optional private network connections (AWS Direct Connect, site-to-site VPN) and/or IP whitelisting — eliminating public-internet exposure.

Operational governance

Define your own backup schedules, maintenance windows, retention policies, and data-residency requirements at the infrastructure level.

On-premise control without sacrificing the elasticity, uptime, or automation of a modern cloud-native SaaS platform.

World-class data security built into everything we do.

For security questionnaires, SOC 2 reports, or additional certifications, contact security@neo.tax or request via our Trust Center.

Visit Trust Center Read our Security Whitepaper