Security Built For Tax Professionals

We safeguard taxpayer data with bank-level encryption, hardened infrastructure, and a rehearsed incident response program aligned to IRS and FTC requirements.

  • IRS Publication 4557 alignment verified November 2025
  • Strict organization isolation with least-privilege roles
  • 24/7 telemetry, anomaly detection, and documented playbooks
Last reviewed: November 9, 2025 Owner: Financial Frontera Security Team
IRS Publication 4557 Safeguards program documented
TLS 1.3 / HTTPS Modern cipher suites enforced
Firebase Authentication Google-managed identity & MFA
AWS + Neon Enterprise cloud & encrypted DB

Security Snapshot

Encryption Everywhere

TLS 1.3 for every connection, AES-256 at rest, and AWS KMS-managed keys across services and backups.

Controlled Access

Google Firebase authentication, MFA support, and role-based policies scoped to each organization.

Continuous Detection

Streaming telemetry, alerting thresholds, and anomaly detection backed by quarterly incident drills.

Compliance Ready

Security controls mapped to IRS Publication 4557, FTC Safeguards Rule, NIST CSF, and ISO 27001 principles.

Deep Dive

Open each area to see exactly how we protect taxpayer data, operate our controls, and prove ongoing compliance.

How we protect data in transit and at rest

Encryption in transit

  • TLS 1.3 enforced across portals, public site, REST APIs, and WebSocket channels.
  • HSTS, modern cipher suites, and automatic certificate rotation managed through AWS.

Encryption at rest

  • AES-256 encryption for Neon PostgreSQL, document storage (AWS S3), and workflow payloads.
  • Row-level organization scoping prevents cross-tenant access even inside the database.

Key management

  • AWS Key Management Service (KMS) controls all encryption keys with automatic rotation.
  • Strict separation between production, staging, and analytics environments.

Every new integration is reviewed for encryption posture before it is allowed to handle live data.

Identity, authentication, and organization isolation

Authentication

  • Google Firebase Authentication delivers hardened identity management and session security.
  • Multi-factor authentication is available for every user, and admin roles can enforce it.
  • Automatic session timeout and device revocation controls protect against stale sessions.

Access controls

  • Role-based permissions mirror operational duties (settings, billing, messaging, workflows).
  • Least-privilege defaults with quarterly access reviews performed by the security team.
  • Every query is scoped by org_id to maintain tenant isolation across services.

Administrative safeguards

  • Audit trails capture authentication events, privilege grants, and permission changes.
  • Automated alerts fire when system roles, API keys, or allowlists are modified.
Infrastructure hardening and secure development

Cloud & network

  • AWS foundation with private networking, security groups, and AWS Shield protections.
  • Neon PostgreSQL provides encrypted storage, dedicated compute, and automated patching.
  • Geographically redundant backups keep customer data within US availability zones.

Application security

  • OWASP-aligned code reviews, dependency scanning, and pipeline-based static analysis.
  • Every endpoint validates payloads, enforces authentication, and logs structured events.
  • Rate limiting, CORS controls, and content security policies protect customer portals.

Change management

  • Infrastructure changes require peer review plus automated checks before release.
  • Security regressions trigger automatic rollback through our deployment pipeline.
Monitoring, alerting, and incident response
  • 24/7 telemetry from application, database, and workflow layers feeds a unified monitoring stack.
  • Machine-learning anomaly detection flags unusual login patterns, bulk exports, or API failures.
  • Runbooks cover ransomware, account compromise, data exfiltration, and vendor outages.
Detect < 60 seconds

Automated alerts and log correlation flag deviations in near real time.

Triage < 15 minutes

Security on-call validates the signal, locks compromised accounts, and captures evidence.

Notify ≤ 72 hours

Impacted organizations receive coordinated updates per FTC Safeguards and IRS guidance.

Learn < 7 days

Post-incident reviews document root cause, compensating controls, and customer follow-up.

Compliance and industry frameworks

Controls are mapped to the regulations and frameworks tax professionals rely on to prove compliance.

IRS Publication 4557

Written information security program (WISP), access monitoring, and incident response readiness.

FTC Safeguards Rule

Annual risk assessments, designated security lead, vendor oversight, and customer notification plans.

NIST CSF

Identify, Protect, Detect, Respond, Recover controls mapped to our security roadmap.

ISO 27001 alignment

Information security policies, asset inventories, and change management aligned to ISO annex controls.

PCI DSS

Payment workflows isolated with provider tokenization and secure key handling.

HIPAA Principles

Minimum necessary access, audit trails, and breach notification protocols adapted for tax data.

Resilience, backups, and business continuity

Automated backups

  • Daily full backups with point-in-time recovery for Neon PostgreSQL.
  • Document storage snapshots retained per retention policy and encrypted in transit.

Recovery readiness

  • Quarterly restoration tests ensure playbooks stay current and auditable.
  • Disaster recovery plan covers primary cloud region loss and third-party outages.

Business continuity

  • Defined RPO/RTO targets for critical services and communication sequences for customers.
  • All data remains within US facilities to satisfy tax preparer regulatory requirements.
Third-party providers and due diligence

We only partner with vendors that can meet or exceed our security posture and maintain verifiable certifications.

Firebase (Google)

Delivers authentication, MFA, and secure session tokens backed by Google’s global infrastructure.

AWS

Primary hosting, encryption, KMS, CloudFront distribution, and IDS/IPS tooling with SOC 2 Type II coverage.

Neon

PostgreSQL platform with encrypted storage, zero-downtime branching, and point-in-time recovery.

n8n

Workflow automation with encrypted webhooks and per-tenant isolation for customer integrations.

Vendor reviews are performed annually or whenever a material change is announced.

Shared responsibility and user safeguards

Security works best when your team follows the same high bar. These are the practices we recommend every organization enforces internally.

Account hygiene

  • Require MFA for every user, especially admins and seasonal staff.
  • Rotate service account keys and API tokens on a 90-day schedule.
  • Disable dormant accounts before tax season ramps down.

Operational safeguards

  • Restrict data exports to managed devices and secure networks.
  • Maintain a written incident plan that references Conecta’s 72-hour notification commitment.
  • Educate staff on phishing, social engineering, and secure document handling.

Want to talk security?

Want to learn more about our security posture and chat about yours? Contact our security team directly using the information below.

Need to reach our security team?

If you suspect a security issue or want to request additional documentation, contact us right away.

  • General Emailayuda@holaconecta.com
  • Phone(619) 630-5109
  • AddressFinancial Frontera LLC, 601 E Palomar Ste #554, Chula Vista, CA 91911

Please include relevant timestamps, screenshots, and contact details so we can respond without delay.