Security

How we protect your data

Last updated: February 2026. This policy is subject to review by legal counsel.

At Taxation.ai, we understand that you trust us with some of your most sensitive information — your financial and tax data. This page describes the security measures we implement to protect that trust.

Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections and employ HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks.

At Rest

All data stored in our databases and file storage is encrypted at rest using AES-256 encryption. Database backups are also encrypted. Encryption keys are managed through secure key management practices with regular rotation.

Authentication and Access Control

  • Authentication: User authentication is handled through Supabase Auth, which supports secure password hashing (bcrypt), email verification, and session management via secure, HTTP-only cookies.
  • Row-Level Security (RLS): Our database enforces row-level security policies, ensuring that users can only access their own data. Every database query is scoped to the authenticated user at the database level — not just the application level.
  • Principle of least privilege: Internal access to production systems is restricted to essential personnel only, with role-based access controls and audit logging.
  • API security: All API endpoints require authentication. Rate limiting is applied to prevent abuse.

Infrastructure

  • EU-hosted: Our primary infrastructure is hosted on Hetzner servers in Germany, within the European Union. This ensures your data is subject to EU data protection standards.
  • Network isolation: Production environments are isolated from development and staging environments. Internal services communicate over private networks.
  • Regular updates: We maintain a regular patching schedule for operating systems, dependencies, and application components to address known vulnerabilities.
  • Backups: Automated, encrypted backups are performed regularly. Backup integrity is verified periodically, and restoration procedures are tested.

Application Security

  • Input validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS, etc.).
  • Dependency management: We regularly audit dependencies for known vulnerabilities and update them promptly.
  • Code review: All code changes undergo peer review before deployment to production.
  • No tracking cookies: We use only essential session cookies. Our analytics (Plausible) are cookieless and do not collect personal data.

Incident Response

We maintain an incident response plan that includes:

  • Detection: Monitoring and alerting systems to identify potential security incidents promptly.
  • Containment: Procedures to isolate affected systems and prevent further damage.
  • Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay where required by Article 34.
  • Remediation: Root cause analysis and implementation of measures to prevent recurrence.
  • Documentation: All incidents are documented, including timeline, impact assessment, and corrective actions taken.

Compliance Roadmap

  • GDPR: We are compliant with the EU General Data Protection Regulation, including data minimization, purpose limitation, user rights, and breach notification requirements.
  • UK GDPR: We comply with the UK implementation of the GDPR for our UK-based users.
  • SOC 2: We are working toward SOC 2 Type II certification to provide independent assurance of our security controls. We will update this page as we progress.
  • Ongoing improvement: We continuously review and enhance our security posture in line with industry best practices and evolving regulatory requirements.

Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to:

Email: one@vaionex.com

Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof-of-concept

We ask that you:

  • Do not access or modify other users' data
  • Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
  • Act in good faith to avoid disruption to the Platform

We commit to acknowledging your report within 48 hours and will keep you informed of our progress toward resolution.

Contact

For security-related inquiries, please contact:

Vaionex Corporation
Email: one@vaionex.com