Security Whitepaper

Last updated December 3, 2019

Introduction

TaxJar’s mission is to enable our customers to save time, avoid headaches and reduce their risk when it comes to sales tax management. As part of that initiative, protecting their data is one of our most important responsibilities. We’re committed to being transparent about our security practices and providing the information you need to understand our approach.

Organizational security

Our security program aligns with SOC2 and GDPR principles and draws inspiration from several frameworks including, CIS Top 20, NIST, among others. Our program is tailored to be a custom fit to TaxJar. We will always strive to ensure that the policies and procedures we put into place appropriately reflect our unique environment and constantly evolving with updated guidance and new industry best practices.

The overall security posture at TaxJar is to be preventative rather than reactive. This can only be achieved with cross-organization cooperation and by implementing well designed security controls.

Security team

The security and compliance team at TaxJar is led by the Director of Information Security, who owns the security program and is responsible for its creation, implementation, and oversight. The security team members working underneath their leadership assist by supporting security initiatives and helping to further evolve and mature the program.

The security and compliance team work closely alongside and in collaboration with the engineering team. To ensure that security remains at the heart of development and operations, TaxJar has developed several policies and procedures which support that collaboration.

Compliance

TaxJar is currently undergoing a SOC2 assessment with Schellman & Company with an estimated completion time of January 2020. TaxJar has also gone through a GDPR readiness assessment with Tillage Advisors and have implemented several privacy controls in order to comply with GDPR articles.

Protecting customer data

Cloud hosted environment

TaxJar’s infrastructure is hosted with Amazon Web Services (AWS) so all physical assets where customer data resides is managed by the cloud provider. TaxJar leverages this infrastructure model and adds security controls on top of Amazon AWS. From a security standpoint, the controls are based on best practices and designed to take into account the specific data storage and processing risks associated with each aspect of the technology used at TaxJar, including unique factors associated with cloud hosted environments.

TaxJar recognizes both the unique benefits as well as the potential challenges that cloud based infrastructure can present. We take great measures to secure all cloud hosted instances, including separation of staging and production environments, ensuring limited access to critical systems, applying baseline configuration images to cloud servers, restricting access as needed, and extensively monitoring for unusual activity. Our Cloud SIEM is integrated with AWS security analytics (Macie, SecurityHub, GuardDuty) to help us aggregate logs, alerts, and other activity into a cohesive single source of truth and greatly enhance our monitoring capabilities.

As a distributed company, each technological choice at TaxJar is made with remote work, scalability, and ease of remote management and control in mind.

Employee security

At TaxJar we understand that security starts with our employees, they are the cornerstone of our security posture and our first line of defense, therefore security controls are most effective when they are supported by a robust security culture. As such, we engage our employees (and contractors) in a culture of security for the entire employee lifecycle, from the time they apply and throughout their time at TaxJar.

This includes background checks, mobile device management, and ongoing security awareness training.

Data protection

Since protection of customer and partner data drives and informs our security initiatives, we take great care to protect this data in its flow through our systems and while in our custody. We have implemented both technological and policy controls in order to accomplish this.

All customer data hosted in our environment is encrypted both at-rest and in-transit using TLS encryption, AES256 encryption, and SHA2 signatures, and retained only for as long as needed and in accordance with our Data Retention Policy. While data is encrypted at rest, we also employ data loss prevention and monitor for any potential risks or incidents which might compromise data protection.

Endpoint security

All employee workstations are required to be enrolled in our Mobile Device Management (MDM) Solution. The security team has created appropriate restrictions, configuration profiles, and automated deployments and updates of applications in order to meet security objectives (“Security bundles”). All workstations are configured by default with disk encryption, firewall, strong passwords, and lock when idle.

Security bundles are deployed using automated scheduling via our MDM solution. Remote access, monitoring, automatic alerts, and remote wipe capabilities help the security team meet ongoing compliance needs.

Access controls

TaxJar strictly adheres to principles of least privilege and employs permission sets and access that reflect job roles. Wherever possible, access is restricted only to that which is necessary to fulfill job responsibilities or specific project tasks. Our Employee Access Request process helps us enable, track and manage, and revoke employee access when needed. The security team performs access reviews on a quarterly basis. Access to all production systems in AWS require multi-factor authentication (MFA) to be enabled and we strongly encourage MFA to be turned on whenever it is an option.

TaxJar has implemented 1Password as our enterprise-wide and centralized password manager. Having a password management solution enables TaxJar employees to more easily meet password requirements and enables the security team to monitor and ensure good password hygiene is in use throughout the company.

Disaster recovery and business continuity

In order to meet SLAs, compliance with regulatory bodies, and important customer commitments and business objectives, TaxJar has created a Disaster Recovery and Business Continuity Plan based upon our unique environmental variables and commensurate with the associated risks we have identified to specific organizational factors. This plan is tested at least once a year and results are documented and communicated to Senior Management.

Incident response

TaxJar has implemented a comprehensive Incident Response & Breach Notification Process which includes specific steps to identify, triage, monitor, remediate security incidents. We also communicate with customers about security incidents in a defined and consistent way and according to defined SLAs. The incident response plan is tested at least annually and updated accordingly.

Sub-processors and vendors

TaxJar relies upon certain vendors in order to provide key aspects of the service and/or for required business processes. Our vendor management processes govern the security team’s oversight and management of all third parties which have access to sensitive data of any kind. This includes appropriate vendor security and privacy reviews, entering into contractual agreements which define the terms of the engagement and relationship with the vendor, requiring vendor security questionnaires to be filled out as necessary, and ongoing regular monitoring for compliance of the vendor.

Attestations and certifications

TaxJar is committed to best security practices and to creating and maintaining a security program that establishes us as a leader in our industry space. To achieve the excellence we strive for, we submit our information security program and company operations to independent third-party compliance audits in order to measure the effectiveness of the security and technological controls we have implemented.

In addition to our compliance audits, TaxJar also engages with independent entities to conduct both application-level and infrastructure-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner.