Trust & Safety
Security
Tax data is among the most sensitive information a firm handles. Here is how CitaxPro protects it.
Encryption in transit and at rest
All data is transmitted over TLS 1.2 or higher. Data at rest is encrypted using AES-256 via Supabase's managed PostgreSQL infrastructure hosted on AWS.
Authentication
User authentication is handled by Supabase Auth. Multi-factor authentication (MFA) is enforced for Partner and Firm Admin roles. Sessions are short-lived and invalidated on logout.
Infrastructure
CitaxPro runs on Railway and AWS infrastructure in the United States (us-west-1). No client data is stored outside the US. Infrastructure access is restricted to authorized personnel only.
Audit logging
Every create, update, and delete action in the platform is recorded in a tamper-evident audit log with user, timestamp, and IP address. Logs are retained for 7 years.
Data isolation
Each firm's data is isolated at the database level using row-level security policies. One firm cannot access another firm's clients, scenarios, or reports.
AI provider data handling
When you use PDF import, document content is sent to Anthropic or OpenAI solely to extract tax fields. Both providers are contractually prohibited from retaining or training on your data.
Report a vulnerability
If you discover a security issue, please email security@citaxpro.com with a description of the issue. We will acknowledge reports within 48 hours and aim to resolve confirmed vulnerabilities within 14 days. We do not currently offer a bug bounty program, but we do recognize responsible disclosure publicly upon request.