Taxerity.AItrust & security. Built for CPAs and federally authorized Enrolled Agents.
Your clients trust you with their financial data. Taxerity.AI protects that data with a three-layer security model, requires explicit owner sign-off on every AI suggestion before it reaches a client, and keeps an append-only audit log your firm can hand to malpractice carriers or state boards on request.
Three-layer security posture
Headers, access control, validation — in that order
Every request to Taxerity.AI passes through each of these layers before a single byte of your clients' data is processed. A failure at any layer is a failure for the whole request — no graceful fallback that puts your data at risk.
frame-ancestors 'none', minted by the platform proxy before any HTML is parsed. Click-jacking, script injection, and inline-script execution are blocked at the browser boundary — not trusted to your clients' device configuration./apiboundary validates its payload with typed server-side schemas before it touches your data. Database queries are scoped strictly to the authenticated user — one firm cannot read another's clients, returns, or audit entries. Trial engagements are held to the same controls as paid ones; no data-protection gap during the 14-day free trial.Encryption
Encrypted in transit. Encrypted at rest.
Taxerity.AI never sends or stores your clients' data in plaintext.
No AI recommendation reaches a client without explicit owner approval.
Taxerity.AI suggests. It does not file. Every AI-flagged deduction, anomaly, or classification is delivered into a firm owner's review queue with full IRC citations. Nothing reaches a client return — and nothing reaches your tax software — until the firm owner accepts, modifies, or rejects it. The owner's judgment, not the model's confidence score, is what ships.
Audit & approval log
Append-only. Timestamped. Long-retention.
AI suggestions, owner approvals, edits, and rejections are written to an append-only audit log with timestamps. The log is retained for seven years— consistent with IRS recordkeeping expectations under §6501 plus typical state-board and PTIN requirements — and is exportable as a PDF from the in-app Security & Compliance dashboard.
- Every AI suggestion surfaced to a reviewer (label, return, source, citations)
- The reviewer's decision (accepted, rejected, modified) and timestamp
- Permission changes, session activity, and firm-member role assignments
- Export events — share the PDF with a malpractice carrier, an IRS examiner, or a state board without exposing client identifiers
What we never do
Hard limits on what the system will and will not do
A short list. We'd rather write them down loudly than leave them to inference.
- We never add items clients don't have. No fabricated deductions, no invented receipts, no “ghost categories” popping up because the model thought they might fit. Suggestions cite a basis you can verify.
- We never overwrite preparer judgment. The model's confidence score is informational; the firm owner's accept / reject / modify decision is authoritative. Period.
- We never auto-file. Taxerity.AI writes nothing to a tax authority on your behalf. Nothing is transmitted to the IRS. E-file is your firm's job, performed under your firm's EFIN.
- We never train models on your firm's data. Submissions and outputs are not retained for model training. Your client data stays your client data.
- We never bypass SOC 2 Type II controls for short-term convenience. Every shortcut on the codebase is held to the same SOC 2 Type II change-control discipline as the rest of the platform.
- We never share audit log entries across firms. Queries are scoped to the authenticated user. One firm cannot read another's reviews, sessions, or suggestions — whatever query string they craft.
Questions about our posture? Email the team.