Security

Last updated: 2026-04-26PrivacyTermsSecurity

TaxSort is built for South African tax practitioners handling sensitive taxpayer information. The controls below are what we operate today. We’ll add to this page as the product matures.

Encryption

  • All traffic is TLS 1.2+ — no clear-text HTTP.
  • Sensitive Client Information (ID and tax numbers) is encrypted at rest with AES-256-GCM using a key separate from the session secret.
  • Database is encrypted at rest by our infrastructure provider (Supabase, AWS-backed).

Authentication

  • Passwords are hashed with bcrypt (cost factor 12).
  • Session cookies are HTTP-only, Secure, and SameSite=strict.
  • Rate-limited login and password-reset endpoints prevent credential-stuffing.

Audit trail

  • Every category override, sign-off, and reopen is recorded as an immutable audit event.
  • Practitioners can export the audit log as CSV to attach to a SARS submission as defensibility evidence.

Defense-in-depth headers

Strict-Transport-Security with preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy disabling camera/microphone/geolocation by default.

Background jobs

Long-running AI categorization runs as a separate, signed webhook pipeline (Inngest). Each step is independently retried on failure so partial AI outages do not corrupt your data.

Subprocessors

We rely on Vercel (hosting, US/EU), Supabase (database and storage, EU), Inngest (background jobs, US), Resend (email, EU/US), and OpenAI (AI categorization, US). A current list with countries and data scopes is available on request.

Reporting a vulnerability

If you believe you’ve found a security issue, please email security@taxsort.co.za with the details. We aim to acknowledge within 48 hours and will keep you updated on remediation.