TaxWise
Join the waitlist
Security at TaxWise

Bank-grade where it counts. Boringly specific everywhere else.

Tax data is among the most sensitive financial information a person produces. Here is exactly how we protect it.

Where we stand

Certifications, audits, and what they mean.

ISO/IEC 27001:2022
Live

Certified August 2025

SOC 2 Type II
In progress

Audit in progress · report expected Q3 2026

PDPA (Sri Lanka)
Live

Compliant since launch · Personal Data Protection Act No. 9 of 2022

CBSL data-residency
Live

Personal financial data resides in CBSL-approved infrastructure (Sri Lanka & Singapore)

Posture

Concrete controls. Not adjectives.

Data at rest
  • AES-256-GCM envelope encryption on every PII column.
  • Customer-specific Data Encryption Keys (DEKs), rotated every 90 days.
  • Key-Encryption-Keys (KEKs) held in AWS KMS Singapore, never on application servers.
Data in transit
  • TLS 1.3 minimum, with HSTS preload across every TaxWise subdomain.
  • Mutual TLS between internal services. No internal plaintext.
  • Certificate pinning on the mobile app's authentication path.
Authentication
  • Argon2id password hashing (memory cost 64 MiB, iterations 3, parallelism 4).
  • TOTP-based 2FA available on every account; required for Practitioner accounts.
  • WebAuthn passkeys supported. Session refresh tokens rotated on every use.
Infrastructure
  • Private VPCs in ap-south-1 (Mumbai), with a hot standby in ap-southeast-1 (Singapore).
  • All compute behind a private subnet. Public surface is a single CDN edge.
  • Every change goes through pull request, automated tests, and code-owner review.
Monitoring & response
  • 24/7 on-call during filing season (Aug–Nov); business-hours otherwise.
  • Quarterly third-party penetration tests; latest report dated December 2025.
  • Security disclosure: security@taxwise.lk — 24-hour acknowledgement SLA.
What we don't do
  • We do not sell, rent, or share personal data with any third party for marketing.
  • We do not use customer data to train external AI models.
  • We do not retain return data beyond the seven-year IRD requirement plus a 30-day audit window.
Responsible disclosure

If you find a vulnerability, please tell us.

We acknowledge every report within 24 hours and pay bounties for valid findings, scaled by severity: critical Rs. 250,000; high Rs. 100,000; medium Rs. 25,000; low Rs. 5,000.

Email: security@taxwise.lk
PGP key fingerprint: 3D5F 8C12 9A77 BB02 41E3 09FA CB80 DD16 4A02 7E91
Acknowledgement SLA: 24 hours. Triage SLA: 5 business days.