Encrypted Private Storage
Sensitive client uploads use private storage with server-side encryption and are kept separate from public website and CMS assets.
Security Built for Tax Offices Handling Sensitive Client Documents
Conecta helps tax offices collect, store, and manage sensitive client documents with authenticated access, encrypted storage, audit visibility, and long-term retention controls.
- 7-year tax-record retention tracking for client portal documents
- Private document storage separated from public CMS assets
- Audit logging for key document lifecycle activity
Document safeguards
Secure document handling, built into the workflow.
Client files are stored separately from public website assets, protected with authenticated access, and tracked through retention and audit controls.
7 years
Client portal documents are tracked with a tax-record retention policy.
Audit logs
Document lifecycle activity is recorded for operational visibility.
FTC & IRS support
Built to support tax-office safeguards workflows
Private storage
Sensitive files separated from public CMS assets
Firebase Authentication
Authentication for staff app access
Cloud Run + Neon + AWS S3
Modern app, database, and document storage stack
Security Snapshot
Controlled Access
Access is controlled through authenticated app and portal sessions, organization-level isolation, and contact visibility rules.
Document Audit Logging
Uploads, views, downloads, removals, fulfilled requests, visibility changes, folder changes, and retention assignment are audit logged.
Retention Controls
Client portal documents are tracked with a 7-year tax-record retention policy and protected from accidental hard deletion during the retention period.
Security Details
How Conecta protects sensitive client documents, controls access, tracks retention, and supports tax-office compliance workflows.
How we protect data in transit and at rest
Encryption in transit
- Application and portal traffic is served over HTTPS.
- Certificates and delivery infrastructure are managed through established cloud providers.
Encryption at rest
- Sensitive uploads use private AWS S3 storage with server-side encryption.
- Production relational data is stored in Neon Postgres with app-level organization isolation.
Document separation
- Client portal documents are stored separately from public website, CMS, and marketing assets.
- Client portal downloads stream through the backend after portal authentication and visibility checks.
Public assets and sensitive customer documents are intentionally handled through different storage paths and access patterns.
Identity, authentication, and organization isolation
Authentication
- Firebase Authentication handles staff app authentication.
- Client portal access uses authenticated portal sessions before document access is allowed.
- Portal sessions control account access for document workflows.
Access controls
- Role and permission checks help limit staff access by operational responsibility.
- Client portal documents are visible only when organization, contact, and portal visibility rules allow access.
- App-level organization isolation is the primary tenant isolation model.
Administrative safeguards
- Document lifecycle activity is recorded for uploads, views, downloads, removals, and request fulfillment.
- Visibility changes, folder changes, and retention assignment are also audit logged.
Infrastructure hardening and secure development
Cloud & network
- Primary application services run on Google Cloud Run.
- Neon Postgres stores production relational data.
- AWS S3, SES, CloudFront, Route53, ACM, and CloudTrail support documents, email, delivery, DNS, certificates, and audit visibility.
Application security
- Document access paths validate organization, contact, and visibility context before files are returned.
- Sensitive client documents are not served through public bucket browsing.
- Client portal downloads stream through the app after authentication and authorization checks.
Change management
- Application changes are reviewed before release.
- Google Cloud Logging, Datadog, and AWS CloudTrail provide visibility into production operations.
Monitoring, alerting, and incident response
- Google Cloud Logging and Datadog support application monitoring and observability.
- AWS CloudTrail provides audit visibility for AWS account activity.
- Operational logs and document audit records help investigate document access and lifecycle events.
Observe
Cloud logs
Application and infrastructure events are captured through cloud logging and monitoring tools.
Review
Audit trail
Document lifecycle logs help show what happened to client portal files and when.
Respond
Operational process
Security issues can be investigated with application, document, and cloud activity records.
Improve
Product controls
Findings can feed back into product controls, internal process, and customer guidance.
Compliance support for tax offices
Conecta is designed to support tax offices working toward FTC Safeguards Rule and IRS Publication 4557 obligations. Each office remains responsible for its own WISP, employee training, vendor review process, written policies, and regulatory compliance program.
IRS Publication 4557
Secure document handling, authenticated access, retention tracking, and audit visibility support taxpayer information protection workflows.
FTC Safeguards Rule
Access controls, monitoring visibility, secure service providers, and customer information protection features support safeguards work.
Recordkeeping support
Client portal documents are tracked with a 7-year tax-record retention policy.
Deletion protection
Retained client portal documents are protected from accidental hard deletion during the retention period.
Document audit activity
Uploads, views, downloads, removals, request fulfillment, visibility changes, folder changes, and retention assignment are logged.
Shared responsibility
Conecta provides product controls; each office owns its policies, training, reviews, and compliance decisions.
Retention controls and record handling
7-year tracking
- New client portal uploads are tracked with a 7-year tax-record retention policy.
- Previously uploaded secure client portal documents are included in the retention model.
Deletion protection
- Retained client portal documents are protected from accidental hard deletion during the retention period.
- Client portal remove actions preserve retained stored documents and file objects.
Retention scope
- Retention controls apply to secure client portal documents.
- Public CMS, marketing, and static assets are intentionally excluded.
Retention controls focus on tracking and accidental removal protection during the retention period.
Third-party providers and due diligence
Conecta runs on a modern cloud architecture using established infrastructure, authentication, database, storage, email, delivery, DNS, certificate, logging, and audit providers.
Google Cloud Run
Hosts the primary application runtime for Conecta services.
Firebase Authentication
Handles authentication for staff app access.
Neon
Stores production relational data in Postgres.
AWS
Supports document storage, email delivery, DNS, certificates, CDN delivery, and cloud audit visibility.
Google Cloud Logging, Datadog, and AWS CloudTrail support monitoring, observability, and audit visibility.
Shared responsibility and user safeguards
Security works best when your team follows the same high bar. These are the practices we recommend every organization enforces internally.
Account hygiene
- Use strong passwords and multi-factor authentication where available.
- Disable dormant accounts before tax season ramps down.
- Review who has access to documents, billing, settings, and messaging.
Operational safeguards
- Restrict data exports to trusted devices and secure networks.
- Maintain a written incident plan and WISP for your office.
- Educate staff on phishing, social engineering, and secure document handling.