3520file's customer-facing summary of our Written Information Security Plan (WISP) — required for paid tax preparers by IRS Publication 4557 and the FTC Safeguards Rule under GLBA. This is the public summary of our full internal WISP document, which we update annually and whenever a material change occurs to our systems or vendor stack. Read this alongside our Privacy Policy for the complete picture.

1. Our Compliance Posture

We comply with: IRS Publication 4557 (Safeguarding Taxpayer Data); the FTC Safeguards Rule under the Gramm-Leach-Bliley Act (16 CFR Part 314, updated 2023); state breach-notification laws including California (Cal. Civ. Code § 1798.82), New York (SHIELD Act), Massachusetts (201 CMR 17.00), and applicable laws in every state where our customers reside; the EU GDPR, UK GDPR, and Swiss FADP via Standard Contractual Clauses; and PCI-DSS via Stripe for payment data. Our WISP is reviewed annually and updated whenever a material change happens.

2. Encryption and Key Management

All data at rest is encrypted with AES-256-GCM. SSN and ITIN values receive an additional layer of column-level encryption with envelope keys that are separate from the database master key and rotated annually. All data in transit is protected by TLS 1.3 with modern cipher suites. Application secrets (API keys, signing keys) are stored in a secrets manager and never written to source control.

3. Access Controls

Production data access is restricted to authorized personnel only and requires multi-factor authentication. Access is granted based on the least privilege necessary to perform a defined role. All access is logged to an immutable audit trail retained for the same 7 years as your filing records. We perform quarterly internal access reviews and revoke access immediately on role change. We do not store production data on laptops, mobile devices, or removable storage; production data is never copied to non-production environments.

4. Network and Infrastructure Security

Our infrastructure runs on Railway, a SOC 2 Type 2 certified hosting provider built on top of Google Cloud Platform infrastructure. Cloudflare protects every public endpoint with TLS termination, DDoS mitigation, and bot management. Our application has a documented network architecture with private database subnets, no public database endpoints, and least-privilege IAM. We use container isolation, network segmentation, automated dependency scanning, and continuous vulnerability monitoring.

5. Vendor Management

Every third party that touches taxpayer data is reviewed before integration and re-reviewed annually. Each vendor is bound by a written data-processing agreement, an obligation to protect data to the standard required by IRS Publication 4557, and an obligation to notify us of any security incident within 24 hours. Current subprocessors: Clerk (authentication), Stripe (payments, PCI-DSS Level 1), Resend (transactional email, SOC 2 Type 2), Railway (hosting, SOC 2 Type 2), Cloudflare (DNS/CDN, SOC 2 Type 2), OpenExchangeRates (FX rates only, no PII transmitted), Lob.com (Concierge mail only, recipient name and US address only), PostHog (anonymous analytics), Sentry (error monitoring without PII).

6. Personnel Security

Every team member with access to taxpayer data signs a confidentiality agreement, completes annual security awareness training (covering IRS Pub 4557 specifics, phishing recognition, and incident reporting), and undergoes a background check before being granted access. Access is provisioned just-in-time via a documented onboarding workflow and deprovisioned within 24 hours of role change or departure.

7. Incident Response

We maintain a documented incident-response plan covering detection, triage, containment, eradication, recovery, and post-incident review. The plan names the responsible parties, the legal notification timelines (72 hours under GDPR, 30 days under most US state laws, consistent with IRS Pub 4557), and the customer-communication procedure. We test the plan annually via a tabletop exercise. If a security incident affects your data, we will notify you and applicable regulators within the legally required timeframe. Suspected incidents: security@3520file.com.

8. Backup and Disaster Recovery

Database backups are taken automatically every 24 hours and retained for 30 days for point-in-time recovery. Backups are encrypted at the same standard as production data and stored in a separate availability zone. We test our recovery procedure semi-annually. Our Recovery Time Objective (RTO) is 4 hours and our Recovery Point Objective (RPO) is 24 hours.

9. Retention and Deletion

We retain your filing records for 7 years from the filing date — 6 years matches the IRC § 6501 statute of limitations for international transactions, plus 1 year of safety margin. After the retention period, identifiable data is securely deleted using cryptographic key destruction; only an anonymized audit log remains. Backups expire under their own 30-day rolling window. We do not retain physical records.

10. Risk Assessment

We perform an annual written risk assessment as required by the FTC Safeguards Rule. The assessment identifies foreseeable internal and external risks to the confidentiality, integrity, and availability of customer data; evaluates the sufficiency of current safeguards; and produces a remediation plan for any gaps. The most recent assessment is on file with our compliance officer and is shared with our auditors during the annual WISP review.

11. What You Can Do

Use a unique password (Clerk enforces strong-password rules) and turn on multi-factor authentication in your Clerk account. Do not share your account credentials with anyone. Be alert for phishing emails that impersonate 3520file — we will never ask for your SSN, password, or full credit-card number via email. If you suspect unauthorized access to your account or receive a suspicious message claiming to be from us, email us immediately at security@3520file.com.

12. Contact

Security questions, to report a suspected incident, or to request additional detail on our WISP: security@3520file.com. The full internal WISP document is available to enterprise customers and compliance auditors under non-disclosure agreement.

Data Security