1. Is tax return data imported in full, or are only specific forms and fields captured? What steps are taken to secure and anonymize the data?

Answer:

• The data elements extracted from uploaded files are the minimum data elements required to deliver our product functionality.
  
  
• The files uploaded to us are stored encrypted using a KEK (key encryption key) and DEK (data encryption key) strategy. We retain these encrypted files for up to 7 days for support purposes.
  
  
• All sensitive form data is redacted in the files when the files are accessed within the software.
  
  
• The software automatically imports, maps and cleans the files with no manual action required by TaxPlanIQ personnel.
  
  
• Access to files in the backend systems is performed on an as needed basis (typically for support purposes) and requires security approval.
  
  
• Access is removed immediately, typically after a support ticket has been addressed.

2. Is data sold to or shared with any third-party vendors? If so, what measures do you take to ensure third-party security and privacy compliance?

Answer: Data is not shared nor accessible by 3rd parties.

3. Is data transmitted outside of the United States? Are backups retained within the United States? Do you rely on offshore vendors for support? If so, do offshore support team members have access to data?

Answer:

• Applications, data and backups are located in Virginia, USA (AWS).
  
  
• We follow the principle of least privilege (PoLP) policy.
  
  
• We do outsource some software development with a partner headquartered in the USA but utilizing developers in India.
  
  
• This software development partner has limited access to and may only access uploaded files on an as needed basis with management approval, typically to service customer support tickets.

4. Do you conduct regular security audits and vulnerability assessments?

Answer:

• During each build and release of our software, a security audit is performed prior. Any critical or high risk vulnerabilities are made a priority and scheduled appropriately.
  
  
• We also utilize third party software products for security alerts to detect and remediate vulnerabilities.

5. What is the process for detecting and responding to security incidents? Do you have an incident response plan in place?

Answer:

• Security incidents, whether found by our personnel or customers, are logged in our ticket system and escalated to our engineering management.
  
  
• Engineering management then evaluates the severity of the defect and escalates it to our development team to perform a hotfix for those system(s) affected.
  
  
• An incident report is created outlining the security defect and the steps taken to remediate the defect in production along with those steps taken to prevent the defect from occurring in the future (regression testing)
  
  
• If customer data is known to be affected by a security defect or incident, TaxPlanIQ will inform those affected customers within 3-7 business days.

6. Describe training on security and privacy that is in place for personnel, and how frequently it is conducted.

Answer:

• General security and privacy training is provided by a third party service to our personnel including training, random assessment and management reports. Random assessments are conducted once a month and additional training is assigned if needed.

7. Have you incurred any security incident or reportable data breach in the last 5 years?

Answer: No.

8. What industry standards do you follow for data security and privacy? What regulatory requirements do you adhere to regarding data security and privacy, and how do you ensure ongoing compliance with these regulations?

Answer:

• PCI compliance is handled via our third party payment processing service.
  
  
• We follow those items in the OWASP top 10 but we do not currently follow any specific third party security standards such as SOC 2, ISO-27001 etc.

9. Is cyber and liability insurance maintained?

Answer: Yes, we have cyber and liability insurance.