How we protect your data.

• In transit. TLS 1.2+ on every endpoint. HTTPS-only cookies. HSTS preload.
• At rest. Postgres data is AES-256 encrypted at the disk layer (Supabase / AWS managed). Backups are encrypted with separate keys.
• Secrets. Application secrets are stored in Vercel encrypted env, scoped per environment, never in source.

• Passkeys (WebAuthn).Biometric sign-in using the device's Face ID, Touch ID, Windows Hello, or Android fingerprint. Resident-key required so the credential is discoverable without typing email.
• SSO via Google and Microsoft for everyone, with OAuth client IDs registered to Taxottic (no third-party trust beyond what you already have with those providers).
• Magic links as a backup. Single-use, short-lived, signed.
• Sessions stored as HttpOnly, Secure, SameSite=Lax cookies. Refresh tokens rotate on use.

• Row-level security (RLS) is enabled on every table that holds user data. A user can only read or modify rows they own (or rows the company they belong to owns, scoped by role).
• Least privilege service-role keys are used only for narrow server actions where RLS would otherwise prevent legitimate writes (e.g. inserting an inquiry from the public booking form).
• Multi-company isolation. Firms see only clients they have an active engagement with. Engagement state is checked on every query, not cached client-side.

Bank credentials are entered into Plaid's secure UI and never reach Taxottic servers. We receive an access token plus the transaction stream. Tokens are stored in a separate bank_connection_secrets table with restricted RLS. We do not store bank passwords, MFA codes, or account / routing numbers.

You can disconnect a bank from Banks » Disconnect at any time. We then revoke the Plaid token and stop syncing.

• Hosted on Vercel (US edge), database on Supabase (Postgres 17, AWS us-east-1).
• Strict Content-Security-Policy and security headers (HSTS, X-Frame-Options, Referrer-Policy, Permissions- Policy, X-Content-Type-Options) on every response.
• Service worker caches static assets only; HTML and API are network-first so revoked auth always takes effect.

We monitor dependencies daily and patch critical vulnerabilities within 7 days, high within 30 days.

Reporting. If you find a vulnerability, please email security@taxottic.com. We acknowledge within 2 business days, fix critical issues within 7 days, and will credit researchers (with permission) once a fix has shipped.

Please act in good faith: no DDoS, social engineering, or tests against accounts you don't own.

If we discover a security incident affecting your data, we will notify affected users within 72 hours, share what we know, what we are doing, and what (if anything) you should do. We will follow up with a post-mortem once the incident is resolved.

• Built to align with SOC 2 Type II controls; formal audit in progress.
• GDPR / UK GDPR rights are honoured for EU / UK users. See Privacy Policy.
• CCPA / CPRA for California residents. We do not sell personal information.
• Plaid is the only entity that touches bank credentials; Plaid is SOC 2 Type II certified and ISO 27001:2013 certified.

See /legal/subprocessors for the full list of vendors that process customer data on our behalf, plus their roles, regions, and certifications. Enterprise buyers typically read this page alongside the subprocessors list — we keep them in sync.

Taxottic ships on three real subdomains, each with its own session cookie scoped to that host:

• taxottic.com — the consumer app. Customers, freelancers, and small-business owners sign in here to see their personal dashboard, forecast, and companies list.
• enterprise.taxottic.com — the firm-operator console. CPAs and tax-prep firms managing client rosters land here. Same auth menu, separate session cookie.
• hq.taxottic.com — super-admin operations for Techno Optics. User and company inventory, plan roll-ups, daily probes. Reserved to the addresses on the immutable public.super_admins allowlist (today: contact@taxottic.com and contact@technooptics.com).

A session on one subdomain does NOT authenticate the others. Super-admins switch between portals via the Switch portal section of the profile menu, which performs an explicit cross-origin redirect — each destination still requires the appropriate role check when it loads. There is no shared cookie at the parent domain.

Techno Optics ships several products under the same roof (Taxottic, Advottic, others). A buyer who has signed into Advottic on advottic.com and then navigates to taxottic.com may notice the same name shown in the greeting. This is identity-provider re-use, not a shared session:

• Each product has its own Supabase project with its own auth users, database, and storage. There is no shared customer record across products by default.
• Each product's session cookie is scoped to that product's host only (no parent-domain cookie). A Taxottic session does not authenticate the browser to Advottic, and vice versa.
• What is shared is the upstream identity provider — if you signed into Advottic with a Google account, Google will silently re-issue that same Google identity to Taxottic's Supabase OAuth flow, because that is how third-party SSO works. The result is one Google account granting access to two independent product accounts.
• If you want to sign in to a different account on a second product, use Profile menu → Switch accounts. We force the Google / Microsoft account picker on that path so you explicitly pick which identity to use.

We documented this explicitly following the May 2026 third-party audit. Any deliberate cross-product session- sharing would be announced here first and added to the subprocessors page.