Taxaroo Security

Page last updated: 10/16/2017

Security Overview

At Taxaroo, we take the security of your sensitive information extremely seriously. As a result, Taxaroo was built from the ground up to use industry-standard security and encryption measures. A lot of companies say that they take security seriously, but few back it up with any substance. This page is intended to show you how deeply we care about security, and to tell you in detail how we keep your information safe.

Before getting into more detail, it is important to explain the general philosophy we live by when considering how to handle your sensitive information. This is best described by the follow order of priorities as it relates to your data:

  • Priority #1: Encrypt all communication. All interactions that you have with Taxaroo are done through bank-level SSL-encrypted communications. This includes all of our static content and all data and documents that you submit or retrieve from Taxaroo. This means that no one can steal or otherwise intercept your data while it is being sent to or from Taxaroo.
  • Priority #2: Don’t store the data at all. We try to avoid asking you to provide any information that is not immediately necessary for either our business processes or for the business of preparing tax returns. The less information that you have to provide, the better it is for security and for your ease of use.
  • Priority #3: Encrypt data that we do have to store. For data that we have to store, we use various encryption and hashing approaches to ensure that even if someone got access to our database/files, they would not be able to use it (it would just look like gibberish!) We provide more information about how we do this in later sections.

Now that we’ve gotten that out of the way, let’s dig into our security in a little more depth.

Types of Security

"Security" is such a broad term that it is generally misleading for a company to claim that they are "secure" without breaking it down into more specific components. For example, a company may encrypt your information while it is being sent to and from their servers, but then do something crazy (and dangerous) like storing your credit card details in plain text (unencrypted) in a poorly-secured database!

So, with that in mind, we’ll talk about our security in five separate but equally important areas:

Protecting Data in Transit

Data "in transit" refers to the data that is transferred when you submit information to, or retrieve information from, a website. Protecting information in transit is done by encrypting data before being sent to or from a website, using something called SSL. Taxaroo uses strong SSL encryption for all data in transit, which is the same security your bank uses to protect your data. This ensures that even if someone was able to electronically intercept your communication with Taxaroo, it would be impossible to decrypt that information and steal your data. Taxaroo received an A+ rating from SSL Labs, which should give you confidence that we’re using industry best practices.

Web browsers (like the one you’re using now) handle this encryption automatically for you when accessing a website through "https". When your communication is encrypted in transit, most web browsers will show you a visible "lock" of some sort to reassure you that this is happening (as seen below).

Illustrating the lock icon in various browser.o
Illustrating the lock icon in Chrome, Internet Explorer, and Firefox (descending order).

This is what a lot of people refer to when they talk about "web security", and at this point in time any serious business that operates on the internet is using SSL to protect your data.

Protecting Data at Rest

Data "at rest" refers to data that is being stored on our servers for use at a later time. This includes text-based information that you’ve submitted, as well as documents that you may have uploaded. Let’s talk about these each in more detail.

Protecting your text-based data

As discussed above, all communication with Taxaroo is 100% encrypted. Once we receive your data, though, you still want to be sure that we are handling it responsibly. Here’s what we do with this data once you’ve entrusted us with it.

Passwords

We only store hashed versions of your password! For those techies out there that care to know, we use bcrypt hashing (which uses a per-user salt), that as of this writing is generally regarded by many security experts to be the best way to securely store user passwords.

What does this mean in human-speak? Since "hashing" is a one-way operation, there is no way to take a hashed version of something and retrieve the original value. This basically means that there is no way for someone to decrypt your password even if they had full access to our database. It also means that we have no way to know what your password is! All that we can do when you log in is to take the password you enter, "hash" it again, and see if it matches what we have stored. This is why, if you forget your password, we have to ask you to reset it instead of us just telling you what it is. We never stored the raw version in the first place!

Of course, when it comes to passwords, you can help ensure your security by choosing a complex, lengthy password to prevent someone from simply guessing what it is!

Other sensitive information

The hashing process used for storing passwords is not useful for sensitive information where the "plain text" version is needed at some point in the future. This applies to information like social security numbers and bank account information, both of which are used when filing taxes. In the very unlikely event (see later sections) that someone gained access to our database, we don’t want an attacker to be able to retrieve or use any of this sensitive data.

To protect this data, we use encryption instead of hashing. Encryption allows us to store data in a "garbled" format, but to later be able to decrypt it. For example, this allows us to only decrypt social security numbers when they need to be displayed to a client or their tax preparer for the purposes of completing a tax preparation. Otherwise they sit in the database fully encrypted.

Decryption relies on encryption/decryption keys, which are basically very, very long (impossible even for a supercomputer to guess) secret codes used to lock/unlock encrypted data. To actually retrieve your sensitive information, an attacker would not only need to have access to our data, but also the decryption keys and knowledge of the encryption scheme used. For obvious reasons, we won’t discuss our specific encryption scheme here. In addition, we do not store encryption keys on the same infrastructure as we store your data. This avoids a single point of failure, since an attacker would need to breach multiple parts of our infrastructure to gain anything useful. We discuss how our infrastructure is protected in a later section.

Protecting your documents

Much of the sensitive information you send to Taxaroo is contained in PDF documents, images, and other pieces of non-text data. To ensure that these are stored securely, and to provide faster upload/download speeds, we store documents on Amazon Web Service’s S3 cloud storage where they are encrypted at rest using 256-bit AES encryption.

As of this writing, Amazon Web Services (AWS) is the leading cloud infrastructure provider and has extraordinary security measures in place to ensure the security of the data that they handle. Both Fortune 500 companies and major Federal agencies trust AWS to store and protect their users’ data, which gives us confidence that your information is well-protected. You can read more about AWS security measures on their website.

Protecting Against Browser Vulnerabilities (a.k.a. "client-side" attacks)

Aside from trying to get access to your data directly from our servers, there are a variety of ways that attackers can target you directly by taking advantage of the ways in which your web browser works. There are a wide variety of "common" ways that a bad actor could get you to unintentionally give them information, and we take every possible measure to ensure that we protect you against these well-known attack vectors.

To illustrate the type of attacks we’re defending against, let’s look at an example.

  1. Pretend you have logged into your bank account online, but that your bank was not careful with implementing its browser security. Let’s call their website "carelessbank.com".
  2. Sometime shortly after, someone who knows that you bank with Careless Bank convinces you to visit a website that they control. Let’s call this "evilwebsite.com".
  3. When you visit evilwebsite.com, they can then use your browser to submit data to carelessbank.com, without you ever knowing! Since your browser is already logged into carelessbank.com (from step 1), carelessbank.com will happily perform whatever operation your browser sends it. The attacker could potentially submit a form that transfers your money to their account, changes your account information, or any number of other scary things.

This type of attack is known as Cross-Site Request Forgery (CSRF or XSRF), and a website must take active steps to prevent it. Taxaroo makes it impossible for someone to perform this type of attack against you, along with a wide variety of other types of attacks including "clickjacking", cross-site scripting (XSS), and much more.

Suffice to say, we take this application-level security very seriously.

Protecting Your Credit Card Information

We address the topic of your credit card information separately because it is an area we take especially seriously. Not only is this because we are moral and upstanding individuals (we are), but it is also because there is strict regulation governing the handling of credit card information (called "PCI Compliance"), and we don’t want to go to jail!

In order to safely process credit card transactions on Taxaroo, we use a highly-reputable third-party payment processor called Stripe. Stripe is trusted to process payments for major companies like Lyft, Shopify and Postmates. Because we use Stripe, it means that Taxaroo never has access to, or stores, your credit card information.

This is a very important point. When you enter credit card information on Taxaroo’s website, that information is actually not being sent to our servers. Instead, it is being sent directly (and securely) to Stripe for safekeeping. We then have a process for authenticating with Stripe and asking them (programmatically) to process a charge to your card. This means that there is no way that we could possibly misuse your credit card information, or have it stolen by an attacker.

Infrastructure Security, Physical Security and Access Control

So far we’ve talked about how we protect your information from being intercepted in transit, how we avoid an attacker exploiting you personally, and how we avoid an attacker making use of your data in the event they actually get access to it (via hashing and encryption). Obviously, though, this is the last thing that we want! This section discusses how we prevent attackers from getting access to your information to begin with.

Infrastructure security

When you envision a hacker sitting at a computer terminal trying to break into another system, what that hacker is trying to do is break into their victim’s infrastructure. In our world, that would be the servers that run Taxaroo and store our database information.

Running secure servers is difficult, which is usually why you hear about hacks happening to large companies that try to manage their own servers. There is a lot of specialized knowledge necessary to begin with, and on top of that there are constantly new patches coming out to fix vulnerabilities found in an endless number of services and software. In order to ensure that we have the best people in the industry protecting our infrastructure, we chose to use a third-party "platform as a service" to manage this for us.

Taxaroo runs on Heroku, which is now owned by Salesforce (giving us even more confidence in their security). We spend more money to operate Taxaroo on their platform than if we ran our own servers, but because we take security so seriously, we feel this is worth it. Heroku has expert teams of security people that make sure that there are no opportunities for hackers to attack the underlying systems that Taxaroo runs on. Major companies like Toyota and Macys trust Heroku to run their applications, and we do as well. See Heroku’s website for more details about the ways they protect our servers.

Physical security

Now that we’ve talked about keeping you secure from someone sitting at a computer thousands of miles away, let’s talk about how we prevent someone from physically taking your data in person.

Here again we turned to Heroku to ensure the physical security of our servers and data. In turn, Heroku actually runs our software on Amazon Web Services, which is today’s leading cloud service provider. You can also read more information about AWS security on their website. From Heroku’s security information:

"Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers… AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means."

This means that by running Taxaroo on Heroku, we’re also using the same physical security as major firms like Nasdaq, General Electric, Intuit, and Major League Baseball, just to name a few.

We should also note that Taxaroo will never print out any of your data, back up data to external hard drives, or otherwise store physical copies of your data for any purpose in our day-to-day business operations. The only exception would be in a case where you specifically ask us to print something, and in that case we will destroy this information immediately after its immediate use.

Access Control

With all of these protocols in place to protect your data, we still need to ensure that an attacker cannot gain access to the credentials that our own employees use to access our servers and services. To ensure this, we have strict policies to only provide access to data and services to team members that have mission-critical needs to access them.

For the team members that do have access, we require them to use complex passwords, and we require that they use two-factor authentication where available. This means that to access any of our infrastructure, it requires not only a username and password, but also a time-based, temporary access code that is accessible only from that users’ phone. This dramatically reduces the ability for an attacker to gain unauthorized access to our infrastructure.

Taxaroo plans to implement two-factor authentication in the near future to allow you to secure your own accounts even further.

Wrap-up

We hope that this gives you a sense of how seriously we take security, and lets you know that we take to heart the fact that you are entrusting us with your sensitive information. We also hope that you’re walking away with a better sense of how other companies should be protecting your information. We are constantly looking for ways to improve security on all fronts, and if you have any further security concerns we can always be reached at security@taxaroo.com.