Security Practices

How we protect your personal and financial data

At NextGen Taxman, security is not an afterthought — it is foundational to everything we build. We handle sensitive financial data and take that responsibility seriously. Below is an overview of our security program and the measures we implement to protect your information.

Encryption

All data is encrypted both in transit and at rest:

• In Transit: All communications between your browser and our servers use TLS 1.2 or higher. We enforce HTTPS on all pages and API endpoints.
• At Rest: All stored data, including personal information and financial records, is encrypted using AES-256 encryption.
• API Credentials: Plaid API credentials and all sensitive keys are encrypted in storage and never exposed on the client side.

GLBA Compliance

As a financial services application, we comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Our compliance program includes:

• A written information security program with designated security personnel
• Regular risk assessments to identify and address potential threats
• Administrative, technical, and physical safeguards for customer information
• Oversight of third-party service providers who access customer data
• Ongoing monitoring and testing of security controls

Access Controls

We implement strict access controls to ensure that only authorized personnel can access customer data:

• Role-based access control (RBAC) for all internal systems
• Multi-factor authentication (MFA) required for all employees and contractors
• Principle of least privilege — staff only have access to data required for their role
• Regular access reviews and prompt revocation upon role changes or termination
• Background checks for all employees and contractors

Plaid Integration Security

We use Plaid to securely connect to your financial institutions. Key security aspects of our Plaid integration:

• Your bank credentials are entered directly into Plaid's interface — we never see or store your login credentials
• Plaid access tokens are stored server-side only, encrypted at rest, and never exposed to client-side code
• We request read-only access to financial data — we can never initiate transactions or modify accounts
• Users can revoke Plaid access at any time through their account settings or via the Plaid Portal
• All data received from Plaid is transmitted over encrypted channels and stored with AES-256 encryption

Monitoring & Incident Response

We maintain comprehensive monitoring and incident response capabilities:

• Real-time monitoring and alerting for security-impacting events
• Robust audit trails and logging for all material events in production systems
• Documented incident response plan with defined escalation procedures
• Regular security awareness training for all staff
• Timely vulnerability patching and remediation

Network Security

• Cloud infrastructure hosted on secure, certified providers
• Network segmentation by asset sensitivity
• Endpoint protection and malware detection
• Regular third-party penetration testing and security audits
• Vendor risk management and oversight program

Data Handling

• We collect only the minimum data necessary to provide our services
• We never sell, rent, or share consumer data for marketing purposes
• Data retention and deletion policies are documented and enforced (see our Data Retention Policy)
• Users may request deletion of their data at any time

Breach Notification

In the unlikely event of a data breach, we will promptly notify affected users and relevant authorities in compliance with applicable state and federal laws. We will also notify our partners, including Plaid, as required by our service agreements.

Contact

If you have questions about our security practices or wish to report a security concern, please contact us at security@nextgentaxman.com.