We built Conecta with security as a core feature — not an afterthought. Your clients’ data is protected with modern encryption, strict access rules, short-lived session tokens, and constant monitoring. Below is a plain-English summary of what we do and why it matters.
Certifications & attestations
We align our practices with established standards. That means following the FTC Safeguards Rule, IRS guidance in Publication 4557, and GLBA privacy principles. We are also working through SOC 2 Type II readiness — our controls are being formalized and tested.
1. How we protect data
Security at Conecta is layered. We encrypt data in motion and at rest, separate customer data at the database level, and limit access so staff only see what they need.
Key controls
- MFA for staff: Multi-factor authentication is required for everyone who accesses our systems.
- Encryption: AES-256 for stored data and TLS for all network transport.
- Standards: We use modern, approved cryptography and rotate keys as needed (RSA 2048+ for key operations).
- Immutable logs: Audit logs capture actions and are stored in a tamper-evident way.
- Least privilege: Role-based access ensures staff only access data required for their job.
- File protections: We accept only safe types, scan uploads for malware, and remove hidden metadata when needed.
- Data lifecycle: We retain data according to policy and securely erase it after seven years or upon request where applicable.
2. Monitoring & alerts
We monitor uploads, downloads, edits, and deletions in near real time. Alerts are sent when we see unusual activity — for example, many failed logins or off-hours bulk downloads. Logs are retained in a way that makes tampering evident, and we’re continuously improving detection tooling.
3. Identity & authentication
Every page and API call is protected by authentication checks. Sessions expire after inactivity (15 minutes) and have a maximum lifetime (8 hours). Client portal links are single-use and short-lived (10 minutes), and we enforce strong password requirements (minimum 12 characters with mixed character types).
4. Vendors & infrastructure
We host on secure cloud platforms with audited compliance programs. Vendor contracts require strong controls and breach notification. Our backups are encrypted, performed daily, and restore-tested monthly. Independent security firms perform annual penetration tests and quarterly scans.
5. Incident response
We maintain an incident response plan with defined roles and communication paths. We run tabletop exercises every six months and larger simulations annually. If an incident occurs, we follow FTC/IRS/state notice requirements and perform a post-incident review to improve controls.
6. Documentation & compliance
Conecta keeps a Written Information Security Program (WISP), performs annual risk reviews approved by leadership, and provides security training at onboarding and annually. Contracts with clients include commitments to data protection and breach response.
7. Penalties for non-compliance
Failure to follow regulatory requirements can trigger fines and court oversight. For example, certain violations can result in penalties in the tens of thousands per incident. Tax preparers are treated as financial institutions under IRS and FTC guidance, so these rules are material for our customers.
8. Extra security measures
Beyond the basics, we adopt modern practices: zero-trust principles, data loss prevention (DLP), endpoint security and encryption, phishing protection, and a coordinated vulnerability disclosure process (bug-bounty style or responsible disclosure). We also run automated compliance checks to spot drift in configurations.
9. IRS input
We engaged with IRS forums and used feedback from IRS staff to shape our controls. Their practical guidance helped prioritize protections for firms that prepare tax returns.
10. The work behind the scenes
Making MFA mandatory, adding row-level security, and meeting FTC rules required significant engineering, product, and compliance work. Security here is not just a statement — it’s results from months of implementation and testing.
FAQ
Has Conecta had a third-party review?
Yes — we undergo penetration testing and security audits on a regular cadence and remediate findings based on risk.
Who are Conecta’s vendors?
We work with vetted, compliant infrastructure and security vendors and require contractual security obligations and breach reporting.
Do clients have rights to their data?
Yes — clients can request access or deletion per our privacy policy and applicable law.
Why you can trust Conecta: no setup required, MFA enforced for staff, AES-256 at rest and TLS in transit, daily encrypted backups with monthly restore tests, and regular independent security assessments.