Security
TaxBandits is SOC-2 certified and has incorporated standard security protocols to ensure secure storage and processing of the data as well as secure coding. Here are some of the security measures we have in place for complete data protection.
Secure Authentication using JWT
We incorporate a streamlined authentication process for our users to restrict any unauthorized access right at the gateway.
To achieve secure authentication, we have adopted a standard approach involving the creation of JSON Web Tokens (JWT).
The JWT token, a compact and digitally signed representation of essential user information, is generated by combining the client ID, client secret, and user token. This verifies the user's identity and facilitates secure communication between the user and our system.
Securely storing PII Data
We prioritize the security and confidentiality of our users' Personally Identifiable Information (PII) and have employed various approaches in light of that.
● Data at Rest - We follow a standard secure algorithm for storing user PII data within our database. This algorithm ensures that sensitive user information remains encrypted and protected from unauthorized access.
● Data in Motion - We have implemented TLS (Transport Layer Security) versions 1.2 and 1.3 to encrypt data during transmission.
● Data in Use - We rely on various security mechanisms, such as TIN Masking, to protect the sensitive data that are in use.
Ensuring Complete Security with REST Architecture in API Development
Choosing the right architectural approach for API development plays a pivotal role in safeguarding sensitive information, and by adopting the Representational State Transfer (REST) architecture, we have ensured the same.
● Authentication & Authorization : We have implemented flexible authentication mechanisms, ensuring that only authorized users gain access. This could involve token-based authentication or integrating OAuth for delegated authorization.
● Cross-Origin Resource Sharing (CORS): We have a built-in CORS mechanism that controls access to resources from different domains, mitigating unauthorized requests and potential data leaks.
● Data Validation: We have implemented input validation and sanitization to prevent injection attacks, ensuring that malicious code does not compromise the integrity of our systems.
● Role-Based Access Control: We have integrated role-based access control, limiting user access to specific endpoints based on their roles and permissions.
● API Versioning : We support versioning to ensure that security updates can be seamlessly applied without disrupting existing applications, enhancing overall system security.
● Throttling – Denial of Service (DoS) Mitigation: We have implemented rate limiting and request throttling to prevent DoS attacks from overwhelming the system.
● Monitoring & Logging : We regularly scan our API to detect and respond to potential security breaches promptly.
● Whitelisting : Only the whitelisted IPs of our clients in the Firewall can access our API server and access the resources. To request your IP address to be whitelisted, contact our support team.