From infrastructure to application to people — TaxEye enforces security at every level.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed using AWS KMS with automatic rotation.
Hosted on AWS India (ap-south-1) region. Data residency in India. Redundant availability zones with automated failover for 99.9% uptime SLA.
Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication (MFA) enforced for all accounts. Single sign-on (SSO) available on enterprise plans.
24/7 automated threat detection with AWS GuardDuty and CloudTrail. Anomaly detection alerts, intrusion prevention, and real-time incident response.
Comprehensive, tamper-evident audit logs for all user actions, data access, and system events. Retained for 7 years in compliance with tax record-keeping requirements.
Automated daily backups with point-in-time recovery. Cross-region backup replication. Recovery Time Objective (RTO) of 4 hours; Recovery Point Objective (RPO) of 1 hour.
TaxEye is designed to meet the strictest data protection requirements applicable to Indian tax professionals.
Fully aligned with India's Digital Personal Data Protection Act 2023. Consent-based processing, data principal rights, and designated Grievance Officer in place.
Our information security management system follows ISO 27001 standards for risk assessment, asset management, access controls, and incident response.
Payment processing via Razorpay — a PCI-DSS Level 1 certified processor. Card data is never stored on TaxEye servers.
All data is stored and processed within India (AWS ap-south-1 Mumbai). We do not transfer personal data outside India without appropriate safeguards.
Security is embedded in our software development lifecycle, not bolted on after. Every release undergoes security review before it reaches production.
Annual penetration tests by certified third-party security firms. Reports shared with enterprise customers on request.
Vulnerability Assessment and Penetration Testing reports available under NDA for enterprise customers performing due diligence.
Security researchers can report vulnerabilities to [email protected]. We acknowledge all reports within 48 hours.
All TaxEye employees undergo mandatory security awareness training. Engineers complete secure coding training annually.
Client data is accessible only to users within your authorised workspace. TaxEye staff do not access client data unless explicitly authorised for support purposes, with full audit logging.
You can delete your data at any time. Account data is purged within 90 days of account closure. Backups containing deleted data are fully purged within 30 days.
Export all your data at any time in standard formats (CSV, PDF, JSON). No lock-in — your data belongs to you.
In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, in accordance with DPDP Act 2023 requirements.
For enterprise security reviews, VAPT reports, data processing agreements, or custom compliance questions, contact our security team.
[email protected] · Responds within 48 hours