Trust
Security & Trust
Last updated 2026-06-10
CA firms handle PAN, GSTIN, bank statements, notices, and audit files. This page describes — concretely, not in marketing language — what Taxayu does to protect that data today, and what is still on the roadmap. Where something is not built yet, we say so.
1. Transport and infrastructure
- All traffic is served over HTTPS (TLS). Plain-HTTP requests are not accepted.
- The application runs on Vercel's managed infrastructure; we do not operate our own exposed servers.
- Every response carries hardened security headers — Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, and related protections — set centrally in middleware.
- Secrets (database credentials, AI provider keys, auth secrets) live in server-side environment configuration and are never shipped to the browser.
2. Authentication
- Sign-in via email/password or Google OAuth, built on NextAuth.
- Passwords are hashed with bcrypt — never stored or logged in plain text.
- Sessions use signed JWTs; signing keys are server-side secrets.
- Authentication and password-reset endpoints are rate-limited to slow down credential-stuffing and enumeration attempts.
- Password-reset tokens are single-use and expire.
- Staff join a firm workspace by admin invite — there is no way to self-join someone else's workspace.
3. Roles and access control
Every workspace member has exactly one role, enforced server-side on every API route — not just hidden in the UI:
| Role | Access |
|---|---|
| Firm Admin | Workspace settings, member invites and removal, all clients, all modules, exports |
| Chartered Accountant | Prepare and review work, manage clients, run all modules, export outputs |
| CA Staff | Prepare assigned work, run modules, upload documents |
| Viewer | Read-only access to reports and workings — no edits, no exports of client masters |
| Client (portal) | Client-portal namespace only: upload requested documents, view their own status. Never sees the firm workspace or other clients |
Client-portal users sit below every firm role in the permission hierarchy: their session can only reach the portal namespace, never firm-side data.
4. Tenant isolation
Every record — clients, filings, documents, computation results — is scoped to your firm's workspace ID at the database layer. Workspace-scoped API routes resolve the workspace from the authenticated session, not from client-supplied parameters, so one firm's data cannot be addressed from another firm's session.
5. Audit logs
Administrative and membership actions — invites, role changes, member removal, session revocation, workspace changes — are recorded in an append-style audit log with the acting user and timestamp. Audit coverage is being extended to uploads, exports, deletions, and AI generations.
6. Files and retention
- Uploaded source files are processed and then deleted from disk; they are not kept lying around in storage.
- Computation results, audit logs, and workspace records are retained for the life of the account so your working history stays reconstructable.
- Deleting your account removes your workspace data; see the Privacy Policy for the full retention description.
7. AI subprocessors
AI features are invoked explicitly — nothing is sent to an AI provider in the background. Workspace content is not used to train third-party AI models. Every AI output is labelled as a draft requiring CA review.
| Provider | Purpose | What it receives |
|---|---|---|
| Google (Gemini) | Document classification, extraction, drafting aids | Only the document text relevant to the feature you invoke |
| Anthropic (Claude) | Drafting and analysis aids | Only the document text relevant to the feature you invoke |
| OpenAI | Drafting and analysis aids | Only the document text relevant to the feature you invoke |
8. Calculation accuracy
- Tax engines are deterministic, versioned code — not AI guesses. Each engine carries a version identifier so an output can be traced to the rules that produced it.
- Engines are covered by automated test suites, including certification tests against worked examples (GSTR-1/3B exports, TDS/FVU validation, surcharge and interest math), run in CI on every change.
- High-liability and AI-assisted workflows are documented in their module descriptions, and all outputs require professional review before filing or client delivery.
9. On the roadmap — not built yet
In the interest of honesty, the following are planned but not live today:
- Two-factor authentication (2FA) for firm admins.
- Google SSO domain restrictions per workspace.
- Direct portal/API filing via GSP and ERI integrations (today's workflows produce reviewed workpapers, not certified upload files).
- A formal data-processing agreement (DPA) — available on request while it is being standardised.
- An in-product retention dashboard showing exactly what is stored per workspace.
10. Reporting a vulnerability
If you find a security issue, email chirayumate@gmail.com with steps to reproduce. Please do not test against other firms' data — use a workspace you created with dummy data. We respond to security reports with priority.
