Trust

Security & Trust

Last updated 2026-06-10

CA firms handle PAN, GSTIN, bank statements, notices, and audit files. This page describes — concretely, not in marketing language — what Taxayu does to protect that data today, and what is still on the roadmap. Where something is not built yet, we say so.

1. Transport and infrastructure

  • All traffic is served over HTTPS (TLS). Plain-HTTP requests are not accepted.
  • The application runs on Vercel's managed infrastructure; we do not operate our own exposed servers.
  • Every response carries hardened security headers — Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, and related protections — set centrally in middleware.
  • Secrets (database credentials, AI provider keys, auth secrets) live in server-side environment configuration and are never shipped to the browser.

2. Authentication

  • Sign-in via email/password or Google OAuth, built on NextAuth.
  • Passwords are hashed with bcrypt — never stored or logged in plain text.
  • Sessions use signed JWTs; signing keys are server-side secrets.
  • Authentication and password-reset endpoints are rate-limited to slow down credential-stuffing and enumeration attempts.
  • Password-reset tokens are single-use and expire.
  • Staff join a firm workspace by admin invite — there is no way to self-join someone else's workspace.

3. Roles and access control

Every workspace member has exactly one role, enforced server-side on every API route — not just hidden in the UI:

RoleAccess
Firm AdminWorkspace settings, member invites and removal, all clients, all modules, exports
Chartered AccountantPrepare and review work, manage clients, run all modules, export outputs
CA StaffPrepare assigned work, run modules, upload documents
ViewerRead-only access to reports and workings — no edits, no exports of client masters
Client (portal)Client-portal namespace only: upload requested documents, view their own status. Never sees the firm workspace or other clients

Client-portal users sit below every firm role in the permission hierarchy: their session can only reach the portal namespace, never firm-side data.

4. Tenant isolation

Every record — clients, filings, documents, computation results — is scoped to your firm's workspace ID at the database layer. Workspace-scoped API routes resolve the workspace from the authenticated session, not from client-supplied parameters, so one firm's data cannot be addressed from another firm's session.

5. Audit logs

Administrative and membership actions — invites, role changes, member removal, session revocation, workspace changes — are recorded in an append-style audit log with the acting user and timestamp. Audit coverage is being extended to uploads, exports, deletions, and AI generations.

6. Files and retention

  • Uploaded source files are processed and then deleted from disk; they are not kept lying around in storage.
  • Computation results, audit logs, and workspace records are retained for the life of the account so your working history stays reconstructable.
  • Deleting your account removes your workspace data; see the Privacy Policy for the full retention description.

7. AI subprocessors

AI features are invoked explicitly — nothing is sent to an AI provider in the background. Workspace content is not used to train third-party AI models. Every AI output is labelled as a draft requiring CA review.

ProviderPurposeWhat it receives
Google (Gemini)Document classification, extraction, drafting aidsOnly the document text relevant to the feature you invoke
Anthropic (Claude)Drafting and analysis aidsOnly the document text relevant to the feature you invoke
OpenAIDrafting and analysis aidsOnly the document text relevant to the feature you invoke

8. Calculation accuracy

  • Tax engines are deterministic, versioned code — not AI guesses. Each engine carries a version identifier so an output can be traced to the rules that produced it.
  • Engines are covered by automated test suites, including certification tests against worked examples (GSTR-1/3B exports, TDS/FVU validation, surcharge and interest math), run in CI on every change.
  • High-liability and AI-assisted workflows are documented in their module descriptions, and all outputs require professional review before filing or client delivery.

9. On the roadmap — not built yet

In the interest of honesty, the following are planned but not live today:

  • Two-factor authentication (2FA) for firm admins.
  • Google SSO domain restrictions per workspace.
  • Direct portal/API filing via GSP and ERI integrations (today's workflows produce reviewed workpapers, not certified upload files).
  • A formal data-processing agreement (DPA) — available on request while it is being standardised.
  • An in-product retention dashboard showing exactly what is stored per workspace.

10. Reporting a vulnerability

If you find a security issue, email chirayumate@gmail.com with steps to reproduce. Please do not test against other firms' data — use a workspace you created with dummy data. We respond to security reports with priority.