Home · Legal · Data Security

Data Security

EffectiveJanuary 1, 2026
Last UpdatedJanuary 1, 2026
Applies ToHYK Tax, PLLC and all clients

HYK Tax handles some of the most sensitive information that exists about your life and your business — Social Security Numbers, financial accounts, payroll records, business performance. We treat that responsibility with the rigor it deserves. This page documents the controls we have in place to protect your data, audited annually by independent third parties.

01Overview

Our security program is built around four principles:

  1. Defense in depth — multiple overlapping controls so a single failure never causes a breach
  2. Least privilege — staff access only the client data they need to do their assigned work
  3. Continuous verification — quarterly internal reviews, annual third-party audits, ongoing penetration testing
  4. Transparency — clients have the right to know how their data is protected, and we publish our practices openly

02Frameworks & Standards

We comply with or are aligned to the following frameworks:

  • IRS Publication 4557 — Safeguarding Taxpayer Data (mandatory for U.S. tax preparers)
  • SOC 2 Type II — independently audited annually for security, availability, processing integrity, and confidentiality
  • Gramm-Leach-Bliley Act (GLBA) Safeguards Rule — federal law governing financial institution data security
  • NIST Cybersecurity Framework — used as our foundational risk-management model
  • AICPA Statement on Standards for Tax Services (SSTS) — professional standards including data protection
  • GDPR — for clients who are EU residents or whose data flows through EU jurisdiction

03Encryption

Data at rest

All client documents stored in our portal (TaxDome) and document vault (Box) are encrypted using AES-256, an encryption standard approved by the U.S. National Security Agency for Top Secret data. Encryption keys are managed by our infrastructure providers using FIPS 140-2 validated key management modules.

Data in transit

All communication between you, our portal, and our internal systems uses TLS 1.3 with perfect forward secrecy. We do not support older TLS or SSL protocols. Our SSL Labs grade is A+.

Email

Sensitive documents are never sent over standard email. All document exchange happens through the encrypted client portal. If email exchange is unavoidable, we use S/MIME or password-protected encrypted attachments.

04Access Controls

Authentication

  • Mandatory two-factor authentication (2FA) on every staff and client account
  • Support for SMS, authenticator apps (TOTP), and FIDO2 hardware security keys
  • Minimum 14-character passwords with complexity requirements
  • Automatic session timeout after 30 minutes of inactivity
  • Account lockout after 5 failed login attempts

Authorization

  • Role-based access control (RBAC) with documented permission matrix
  • Need-to-know basis: staff only see client files they're actively working on
  • Privileged access (admin functions) restricted to 3 named individuals
  • Quarterly access reviews — every staff member's permissions audited every 90 days
  • Immediate revocation of access upon staff departure (within 1 hour)

05Infrastructure Security

  • Cloud infrastructure — hosted on AWS US-East and US-West regions; no on-premise servers handle client data
  • Network segmentation — client data systems isolated from public-facing systems by hardware firewalls
  • Endpoint protection — all staff devices run encrypted disks, EDR (endpoint detection & response), and centralized device management
  • VPN required — staff must connect through corporate VPN with certificate-based authentication to access client systems
  • BYOD prohibited — staff may only access client data from company-owned, managed devices
  • Backup & disaster recovery — encrypted offsite backups with 4-hour RPO and 24-hour RTO

06Offshore Team Security

HYK Tax operates a dedicated production team in Surat, India. The same security controls apply universally — there is no "U.S. tier" and "offshore tier" of protection. Specifically:

  • All offshore staff sign written confidentiality agreements compliant with IRC §7216 and IRS Pub. 4557 before any client data access
  • Background checks conducted on all offshore staff prior to onboarding
  • Offshore facility has biometric access, 24/7 video monitoring, and visitor logs
  • USB ports, personal devices, and cameras are physically prohibited in the production area
  • All offshore work happens via secure VDI (virtual desktop infrastructure) — no client data ever stored on local devices
  • Offshore facility independently audited under SOC 2 Type II annually

07Monitoring & Audits

  • Continuous logging — every access to client data is logged with user ID, timestamp, IP, and action
  • SIEM monitoring — security information and event management with 24/7 anomaly alerting
  • Annual penetration testing — by independent third-party security firms (current vendor: [VENDOR])
  • Quarterly vulnerability scanning — automated scanning of all infrastructure
  • Annual SOC 2 audit — by an AICPA-licensed auditing firm
  • Internal security review — quarterly review by our Security Officer with documented findings

08Incident Response

We maintain a documented Incident Response Plan with the following commitments:

  • Detection — automated alerting on anomalous access patterns; mandatory reporting by staff
  • Containment — isolation of affected systems within 1 hour of confirmed incident
  • Investigation — full forensic analysis with documented chain of evidence
  • Notification — affected clients notified within 72 hours per GDPR; sooner if state law (e.g., Florida F.S. §501.171) requires
  • Remediation — root-cause analysis and corrective action documented within 30 days
  • Reporting — IRS Stakeholder Liaison and applicable state regulators notified per IRS Pub. 4557 §IV

09Staff Training

  • Onboarding — mandatory 4-hour security training before any client data access
  • Annual refresher — all staff complete updated security training every 12 months
  • Phishing simulation — quarterly internal phishing tests with mandatory remediation training for failures
  • IRS Pub. 4557 training — annual training on the Safeguarding Taxpayer Data publication
  • Role-specific training — engineers, partners, and customer-facing staff receive additional role-specific modules

10Vendor Management

Every third-party vendor with access to client data is vetted and contracted under our Vendor Risk Management program:

  • Independent SOC 2 Type II report reviewed before engagement
  • Data Processing Agreement (DPA) signed with every processor
  • Annual re-review of vendor security posture
  • Right to audit clause in all material vendor contracts

Current key vendors include TaxDome (client portal), Box (document storage), CCH Axcess (tax preparation), AWS (infrastructure), and Google Workspace (internal communications) — all SOC 2 audited.

11Certifications

HYK Tax holds the following certifications and registrations:

CertificationStatusLast Audit
SOC 2 Type IIActiveQ4 2025
IRS Pub. 4557 ComplianceActiveQ1 2026
Florida CPA LicenseActiveRenewal Q3 2026
IRS PTIN RegistrationActiveRenewed annually

Copies of our SOC 2 Type II report are available to active clients upon written request under NDA.

12Contact Security Team

To report a security concern, request our SOC 2 report, or ask any data security question:

HYK Tax — Security Officer

We respond to all security concerns within 24 hours. For active incidents, response is immediate.

Emailsecurity@hyktax.com Phone+1 (305) 555-0199 PGPKey fingerprint available on request MailHYK Tax, PLLC · Attn: Security Officer · [Address] · [City], FL [ZIP]