TaxCloud Security Policy
Security is important to us at TaxCloud and we have prepared this Security Policy to explain to you how we secure your data during transmission to our web service, storage of these data on our web servers, and your access to these data from our TaxCloud websites and web services. We have spent a lot of time, money, and effort to ensure your data is protected on our servers, but we need you to share this burden with us. Besides, there’s real money changing hands here!
The document discusses electronic and physical methods of accessing, collecting, storing, using, transmitting, protecting, and disposing of these data.
When you create your TaxCloud account, you are required to enter Personally Identifiable Information (PII) such as name, company name, email address, etc. before creating the account. Our website forces you to use SSL, which encrypts the data over the unsecured Internet. This PII is securely stored in our TaxCloud database behind a firewall. To verify your identity, we send a time-sensitive email to the email address provided during registration. You must click on the single-use URL link in this email within 24 hours to verify your email address and activate your account. Clicking this link later than 24 hours will not work.
You must create a password to access your TaxCloud account. We require these passwords to be at least 6 characters in length, with at least one number or symbol. To ensure the integrity and confidentiality of your TaxCloud account, your password will automatically expire every 90 days, and you cannot re-use previous passwords within a 12 month period. Please keep your password secure: Do not write it down or share it with others.
At the transit or communications layer, all TaxCloud websites and services use the TLS security protocol, which relies upon strong encryption Secure Sockets Layer (“SSL”) encryption, using the RC4 encryption algorithm. For all TaxCloud API services, we do not allow any non-SSL communications. What this means is that it would be extremely difficult for someone (or a machine) to eavesdrop or record any intelligible or meaningful data from the communications between your web shopping cart or point-of-sale system and our TaxCloud servers.
Web Services Security
When configuring your TaxCloud account for a particular website (as identified by your unique URL), a unique Login ID (apiLoginID) and Key (apiKey) are created for you to use in all communications between your website and TaxCloud. These are required in every TaxCloud web service call, such as Lookup(). These two pieces of information must be embedded or configured in your e-commerce shopping cart software when you integrate with the TaxCloud sales tax management service. For each of your websites, you will be issued a new apiLoginId and apiKey. These credentials are unique and cannot be shared across multiple websites. Please keep these credentials safe. If they were to be compromised, someone else could pose as you and create fraudulent transactions on behalf of your website.
Personally Identifiable Information (PII)
It is a policy of TaxCloud to never store your customers’ PII in any of our internet facing TaxCloud systems. While the customer address is sent to assist in determining the appropriate tax rate, the customer name is never transmitted (a unique ID from the merchant/seller is used instead), and the address information (other than zip code) are not stored in the TaxCloud system. The one exception to this rule is tax-exempt transactions, discussed below.
TaxCloud stores the minimal required amount of Personally Identifiable Information (or “PII”) regarding Exempt transactions in the TaxCloud Private Network. The TaxCloud Private Network is not accessible from the Internet. For each exempt transaction, you must mark the transaction as Exempt when the transaction is committed to the TaxCloud service using the Captured() web service call. The transaction includes the shopping cart ID, the user ID, and line item ID(s) for the transaction. If the transaction is an Exempt transaction, you must include the required Exempt User information in the API call as well. The transaction is logged on the TaxCloud production system as are all transactions; in addition, the user ID and Exempt User information are logged into the TaxCloud Private Network log for future use. In this architecture, no PII is stored in the production network, only on the Private Network, which is not accessible from the Internet.
Disaster Planning and Recovery
To be prepared for any unexpected, naturally occurring or human-initiated disasters that could involve our data center facilities, we operate multiple redundant and geographically distributed datacenter facilities where we conduct frequent backups of all servers and storage arrays. We also perform regular disaster-preparedness drills, simulations, and data-center recovery exercises, to ensure that in the unlikely event of a catastrophic failure, we will be able to restore service for our customers and partners as quickly as possible.