Security & Trust Center | IRS Pub 4557 Aligned

The Four Security Pillars

How we keep client data safe.

Encryption Everywhere

TLS 1.3 encryption in transit
AES-256 encryption at rest
End-to-end encrypted file exchange
Bank-grade SSL on all forms
Encrypted backups, geographically distributed

Strict Access Controls

Mandatory multi-factor authentication
Role-based access, least privilege
Client data segregation by engagement
Comprehensive audit logging
Quarterly access reviews

IRS-Aligned Compliance

IRS Publication 4557 alignment
Written Information Security Plan
Annual security training for all staff
Vendor risk management program
FTC Safeguards Rule conformance

Operational Resilience

24/7 endpoint detection and response
Documented incident response plan
Daily encrypted backups
Tested business continuity playbooks
Penetration testing on key systems

Why It Matters

Accounting firms are a top target. We act like it.

The IRS has identified accounting and tax-preparation firms as among the most-targeted industries for cyberattack. The reason is simple: we hold Social Security numbers, bank credentials, tax history, and personal financial data for hundreds of clients in one place.

The vast majority of breaches at firms our size happen for predictable reasons: weak passwords, unpatched software, untrained staff clicking phishing emails, and unencrypted laptops. Each of those is a solved problem if the firm has the discipline to implement controls.

We have the discipline. Multi-factor authentication on every system. Role-based access. Encrypted endpoints. Quarterly phishing simulations. Annual penetration testing. Documented incident response. The work is unglamorous and continuous, and we do it because nothing about our practice matters if your data is not safe.

Frameworks & Standards

The standards our program aligns with.

Our security program is built around recognized industry frameworks, audited internally, and continuously refined.

IRS Publication 4557 Safeguarding Taxpayer Data, federal guidance for tax professionals

FTC Safeguards Rule Required information security program under GLBA for financial institutions

NIST Cybersecurity Framework Industry-standard risk management framework, Identify-Protect-Detect-Respond-Recover

AICPA SSAE 18 Principles Security and confidentiality principles applied across our control set

SOC 2 Type II (planned) Formal third-party audit in progress for 2026 attestation

CIS Critical Security Controls Center for Internet Security top-twenty defensive controls baseline

What You Should Always Demand

Five security questions every business owner should ask their accountant.

1. Do you require multi-factor authentication on every system that touches my data?

If the answer is no or "for some things," your data is at meaningful risk. MFA is the single highest-leverage control. We require it everywhere.

2. Do you have a written information security plan?

FTC Safeguards Rule and IRS Pub 4557 both require this for tax preparers. A firm without one is non-compliant with federal rules.

3. How do you train your team on phishing and social engineering?

The biggest breaches in our industry start with phishing emails. Quarterly simulations and annual training are the minimum acceptable standard.

4. Where does my data sit, and who has access?

You should get a specific answer: which platforms, what controls, who reviews access. Vague answers indicate the firm has not thought it through.

5. What happens if there is a breach?

A documented incident response plan, breach insurance, and a notification policy aligned with state laws. If the firm cannot answer this in one sentence, they do not have a plan.

Your financial data, defended like our own.