Security

TaxFlow uses TLS for data in transit and managed cloud services with encryption at rest.

Plaid access tokens are stored server-side, encrypted separately, and are not stored in the mobile app.

Sensitive backend actions require authenticated Firebase users and Firebase App Check where supported.

TaxFlow uses Plaid Link so users can securely connect selected financial accounts.

We use Plaid data to import transactions, identify potential business write-offs, remove likely transfers from tax totals where possible, and prepare tax-ready records.

Users can disconnect connected accounts in the app and can also manage Plaid connections through Plaid where available.

TaxFlow uses authenticated accounts before Plaid Link is shown in the app.

The app includes an optional biometric lock using Apple's device authentication APIs. TaxFlow does not receive or store biometric templates.

We recommend enabling device passcode, Face ID or Touch ID, and Apple ID account protection on every device used with TaxFlow.

Administrative access is intended to be limited to authorized personnel with a business need.

Production secrets and API credentials should never be committed to source control and should be stored only in managed secret stores.

TaxFlow maintains internal security, access control, vulnerability management, and data retention procedures for developers and operators working on the service.

To report a security concern, email taxflowjack@gmail.com. Please include a clear description and steps to reproduce when possible.