Company & Platform Overview‍

Neo.Tax is a software product that ingests project management data and financial data and leverages artificial intelligence to automate R&D tax credit compliance. 

General Security and Compliance

Neo.Tax is certified for both SOC 2, Type II and ISO 27001:2022; we also maintain compliance with GDPR. We provide a detailed privacy policy and data processing agreement (DPA) for customers and partners.

Data Storage, Handling, and Infrastructure Security

Customer data is stored in a PostgreSQL database hosted in Neon; additional data is stored in Google Cloud Storage. Each customer instance is tied to a unique database identifier for logical data separation and to ensure no commingling of data. In our Neon environments, data resides in the AWS US West 2 (Oregon) region with 99.999%+ durability and 30-day point-in-time-restore support. In GCP, data is replicated across multiple U.S. regions for the purpose of redundancy and disaster recovery. 

All data is encrypted in transit and at rest. We use TLS v1.3 protocols with modern cipher suites (AES-256 encryption and SHA2 signatures) to encrypt traffic in transit. At rest, data is protected using AES-256 encryption, with backups encrypted via KMS-managed keys and access restricted to key personnel through GCP IAM policies. Routine backups are regularly tested to confirm restoration reliability.

We maintain Recovery Time Objectives (RTO) of 48 hours and Recovery Point Objectives (RPO) of zero for the most recent 30 days, enabling point-in-time recovery to any moment within that window.

Customers may request a dedicated tenant; if requested, Neo.Tax will create a separate Google Cloud project and Neon project for that specific customer. See “Dedicated Cloud Offering” section below for more information.

Application and Endpoint Security

Neo.Tax adheres to OWASP Secure Coding Guidelines and follows a secure development lifecycle (SDLC) including peer-reviewed code changes, static application security testing, dynamic application security testing, and automated regression testing. We conduct annual third-party penetration tests across both the application and network layers, performed by an independent CREST-certified security firm. 

Our infrastructure includes continuous vulnerability scanning and timely patch management, with critical updates applied within 48 hours. All employee workstations are protected by enterprise-grade antivirus tools, with auto-updates scheduled scans enforced. 

Neo.Tax utilizes Virtual Private Networks (VPNs) as the primary method for remote access, supported by an application-layer proxy and IP whitelisting to ensure secure communication. 

Authentication and Access Management

Neo.Tax enforces strict authentication and access controls for both employees and customers:

Employee Access:

Access to Neo.Tax systems and data is restricted using role-based access controls (RBAC), IP whitelisting, and multi-factor authentication (MFA). All access is encrypted end-to-end and monitored. Permissions are granted based on job function and least privilege, with access promptly revoked within 72 hours of role changes or termination. Quarterly access reviews are conducted, and all changes are logged and retained for at least one year.

Customer Data Access:

• Customers can authenticate into Neo.Tax via email/password, magic link, or SSO (e.g., Google or Microsoft OAuth). Passwords must meet complexity requirements of the company’s Password Policy and are securely hashed across both operator and customer systems.
• Neo.Tax also supports SAML 2.0/OIDC SSO authentication for enterprises using Identity Access Management services, such as Okta, OneLogin, Ping Identity, etc.
• All user sessions are encrypted via TLS v1.3, and idle sessions are automatically logged out after 20 minutes of inactivity. 
• Users in the Neo.Tax system can be granted access with three possible scopes: ADMIN, MEMBER, or NON-FINANCIAL MEMBER. Non-financial members are unable to view any financial data in the application, such as employee payroll information or accounting transactions.
• Company accounts in the Neo.Tax system can be configured to redact all PII data in the application. This enables users to review financial information without identifying individuals based on their PII.

Vendor and Third-Party Risk Management

Neo.Tax maintains a third-party risk management program to ensure all critical vendors meet our security, privacy, and compliance standards. We evaluate vendors prior to onboarding, maintain documented lists of approved third parties, and enforce contractual obligations that require breach reporting and protect against unauthorized disclosures. We conduct ongoing monitoring and annual reassessments of vendor agreements and compliance reports. 

Dedicated Cloud Offering

Neo.Tax offers a Dedicated Cloud deployment option for enterprise customers with heightened security requirements. Each environment is instantiated as a single-tenant Virtual Private Cloud (VPC), ensuring complete segregation of data, compute, and services. No infrastructure is shared across tenants—customers operate in fully isolated environments at the network, application, and storage levels.

Key features of the Dedicated Cloud offering include:

• Isolated Infrastructure: All Neo.Tax services—including application logic, databases, and storage—run in a dedicated environment instantiated per customer, with no shared resources.
• Custom Security Extensions: For customers who opt into our Dedicated Cloud offering, Neo.Tax can grant access to the underlying cloud resources  to approved security representatives. This enables installation of additional network security controls, such as custom firewall rules, intrusion detection systems, or outbound egress filtering.
• Customer-Controlled Encryption: Support for customer-managed encryption keys (CMKs), including bring-your-own-key (BYOK) options or other supported cloud-native key management systems. (Available upon request.)
• Advanced Auditability: Dedicated environments provide full visibility into system-level activity via isolated logging, with support for exporting logs to customer SIEM tools. (Available upon request.)
• Private Connectivity: Optional support for private network connections (e.g., AWS Direct Connect or site-to-site VPN) and/or application IP whitelisting, eliminating public internet exposure and enhancing control over ingress/egress.
• Operational Governance: Customers may define their own backup schedules, maintenance windows, and data retention policies. Data residency requirements can also be enforced at the infrastructure level.

This offering delivers the benefits of on-premise control without sacrificing the elasticity, uptime, or automation capabilities of a modern cloud-native SaaS platform.

AI & Automation Safety

When it comes to AI model training and processing, Neo.Tax maintains privacy and auditability at its core. Customer-specific data is strictly anonymized and masked before any AI training or fine-tuning takes place. Moreover, any usage of customer data for training or fine-tuning is optional—clients may opt out entirely with a simple configuration setting. Critically, Neo.Tax’s AI models operate on metadata—such as ticket statuses, timestamps, hierarchies, and assignees—as well as ticket names and descriptions. However, Neo.Tax does not access sensitive content like source code, birth dates, social security numbers, or employee addresses.

Our “audit‑ready, transparent AI” approach trains on labeled, compliance-domain datasets, then applies IRS-defined tests to classify engineering work according to R&D tax criteria, generating literal narratives that are fully traceable, replicable, and reviewable by tax professionals. By design, it avoids “black box” outputs—every decision includes a reasoning trace, empowering internal oversight and facilitating audit confidence.

Contact & Documentation Access‍

For security questionnaires or additional information, please contact: security@neo.tax or request reports and certificates via our Trust Center