Security Whitepaper

Table of Contents
Introduction Organizational Security Protecting Customer Data

Introduction

TaxJar’s mission is to enable our customers to save time, avoid headaches and reduce their risk when it comes to sales tax management. As part of that initiative, protecting their data is one of our most important responsibilities. We’re committed to being transparent about our security practices and providing the information you need to understand our approach.


Organizational Security

Our security program aligns with SOC2, HIPAA, CCPA, and GDPR principles and draws inspiration from several frameworks including, CIS Top 20, NIST Cybersecurity Framework, among others. Our program is tailored to be a custom fit to TaxJar. We will always strive to ensure that the policies and procedures we put into place appropriately reflect our unique environment and constantly evolving with updated guidance and new industry best practices.

The overall security posture at TaxJar is to be preventative rather than reactive. This can only be achieved with cross-organization cooperation and by implementing well-designed security controls.

Security Team

The security and compliance team at TaxJar is led by the Director of Information Security, who owns the security program and is responsible for its creation, implementation, and oversight. The security team members working underneath their leadership assist by supporting security initiatives and helping to further evolve and mature the program.

The security and compliance team works closely alongside and in collaboration with the engineering team. To ensure that security remains at the heart of development and operations, TaxJar has developed several policies and procedures which support that collaboration.

Compliance

TaxJar is currently SOC 2 Type 2 and HIPAA Compliant. and we are committed to inviting an outside CPA firm to examine our data security annually in order to maintain our SOC 2 compliant status. TaxJar has also gone through a GDPR readiness assessment and maintains a privacy program. We have implemented privacy controls in order to comply with regulatory frameworks, such as the GDPR and CCPA.


Protecting Customer Data

Cloud Hosted Environment

TaxJar’s infrastructure is hosted with Amazon Web Services (AWS) so all physical assets where customer data resides are managed by the cloud provider. TaxJar leverages this infrastructure model and adds security controls on top of Amazon AWS. From a security standpoint, the controls are based on best practices and designed to take into account the specific data storage and processing risks associated with each aspect of the technology used at TaxJar, including unique factors associated with cloud-hosted environments.

TaxJar recognizes both the unique benefits as well as the potential challenges that cloud-based infrastructure can present. We take great measures to secure all cloud-hosted instances, including separation of staging and production environments, ensuring limited access to critical systems, applying baseline configuration images to cloud servers, restricting access as needed, and extensively monitoring for unusual activity. Our Cloud SIEM is integrated with AWS security analytics (Macie, SecurityHub, GuardDuty, CloudTrail) to help us aggregate logs, alerts, and other activity into a cohesive single source of truth and greatly enhance our monitoring capabilities.

As a distributed company, each technological choice at TaxJar is made with remote work, scalability, and ease of remote management and control in mind.

Employee Security

At TaxJar we understand that security starts with our employees, they are the cornerstone of our security posture and our first line of defense, therefore security controls are most effective when they are supported by a robust security culture. As such, we engage our employees (and contractors) in a culture of security for the entire employee lifecycle, from the time they apply and throughout their time at TaxJar.

This includes background checks, mobile device management, and ongoing security awareness training.

Data Protection

Since the protection of customer and partner data drives and informs our security initiatives, we take great care to protect this data in its flow through our systems and while in our custody. We have implemented both technical and policy controls in order to accomplish this.

All customer data hosted in our environment is encrypted both at-rest and in-transit using a minimum of TLS 1.2 encryption, AES256 encryption, and SHA2 signatures, and retained only for as long as needed and in accordance with our Data Retention Policy. While data is encrypted at rest, we also employ data loss prevention and monitor for any potential risks or incidents which might compromise data protection. Customer account passwords must meet enforced complexity requirements.

Endpoint Security

All employee workstations are required to be enrolled in our Mobile Device Management (MDM) Solution. The security team has created appropriate restrictions, configuration profiles, and automated deployments and updates of applications in order to meet security objectives (“Security bundles”). All workstations are configured by default with disk encryption, firewall, strong passwords, and lock when idle.

Security bundles are deployed using automated scheduling via our MDM solution. Remote access, monitoring, automatic alerts, and remote erasure capabilities help the security team meet ongoing compliance needs.

Access Controls

TaxJar strictly adheres to principles of least privilege and employs permission sets and access that reflect job roles. Wherever possible, access is restricted only to that which is necessary to fulfill job responsibilities or specific project tasks. Our Employee Access Request process helps us enable, track and manage, and revoke employee access when needed. The security team performs access reviews on a quarterly basis. Access to all production systems in AWS (and other critical systems) require multi-factor authentication (MFA) to be enabled and we strongly encourage MFA to be turned on whenever it is an option, even for non-critical systems

TaxJar has implemented 1Password as our enterprise-wide and centralized password manager. Having a password management solution enables TaxJar employees to more easily meet password requirements and enables the security team to monitor and ensure good password hygiene is in use throughout the company.

Disaster Recovery and Business Continuity

In order to meet SLAs, compliance with regulatory bodies, and important customer commitments and business objectives, TaxJar has created a Disaster Recovery and Business Continuity Plan based upon our unique environmental variables and commensurate with the associated risks we have identified to specific organizational factors. This plan is tested at least once a year and results are documented and communicated to Senior Management.

Incident Response

TaxJar has implemented a comprehensive Incident Response & Breach Notification Process (including specific provisions for the HIPAA Breach Notification Rule) which includes specific steps to identify, triage, monitor, remediate security incidents. We also communicate with customers about security incidents in a defined and consistent way and according to defined SLAs. The incident response plan is tested at least annually and updated accordingly.

Sub-processors and Vendors

TaxJar relies upon certain vendors in order to provide key aspects of the service and/or for required business processes. Our vendor management processes govern the security team’s oversight and management of all third parties which have access to sensitive data of any kind. This includes appropriate vendor security and privacy reviews, entering into contractual agreements which define the terms of the engagement and relationship with the vendor, requiring vendor security questionnaires to be filled out as necessary, and ongoing regular monitoring for compliance of the vendor. Each vendor is assigned a risk tier and appropriate remediations are introduced based upon the risk tier assigned and in accordance with our Risk Assessment Policies and Procedures.

Secure Coding and Development

TaxJar maintains documented change management policies and procedures in order to ensure that our standards for quality, security, and compliance during the software development lifecycle (SDLC) process are consistently followed. These policies and procedures cover topic areas that include, but are not limited to:

  • Development model and methods
  • Coding standards
  • Vulnerability Management
  • Testing and QA
  • Versioning
  • Release and deployment
  • Emergency changes

All of our developers are required to complete initial secure coding training upon hire as well as ongoing regular secure coding training throughout the year.

We integrate vulnerability scanning into the build pipeline during development and any discovered vulnerabilities result in a failed build which must be remediated before deployment can proceed.

Vulnerability Discovery and Remediation

The timely detection, assessment, and patching of security vulnerabilities is a critically important component of the TaxJar information security program. A primary method to detect security vulnerabilities includes internal and external vulnerability scans as well as annual penetration testing. TaxJar and third-party vendors perform different types of vulnerability scans including the following:

  • Software composition analysis (SCA) tools
  • Static application security testing (SAST) scans at the time a build is created;
  • External vulnerability scans on a bi-weekly basis
  • Dynamic application security scans (DAST) on a bi-weekly basis; and,
  • Third-party penetration testing on an annual basis.

We triage discovered vulnerabilities based upon their CVSS (Common Vulnerability Scoring System) score, which helps us prioritize their triage and remediation. Critical vulnerabilities are required to be remediated within 7 days and High vulnerabilities within 30 days of their discovery.

In addition to automated and manual scans, the TaxJar Security Team is subscribed to a vast library of security notifications that help inform us of discovered vulnerabilities for our tech stack.

Attestations and Certifications

TaxJar is committed to best security practices and to creating and maintaining a security program that establishes us as a leader in our industry space. To achieve the excellence we strive for, we submit our information security program and company operations to independent third-party compliance audits in order to measure the effectiveness of the security and technological controls we have implemented.

In addition to our compliance audits, TaxJar also engages with independent entities to conduct both application-level and infrastructure-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner.


The basics of US sales tax

Learn the fundamentals of sales tax.

Watch the video