GoRefer Trust Center
Tax Data Safeguards
Updated April 2026
Tax preparers are legally required to maintain a Written Information Security Plan (WISP) under the FTC Safeguards Rule (16 CFR Part 314) and IRS Publication 4557. This page documents how GoRefer's architecture supports each requirement — so you can reference it directly in your firm's WISP and demonstrate compliance to clients or auditors.
Legal requirement, not optional guidance
The FTC Safeguards Rule applies to all "financial institutions" — a category that explicitly includes tax preparers under 16 CFR § 314.1(b). Firms with fewer than 5,000 customer records still must maintain a written security program. Penalties for non-compliance include FTC enforcement action and potential IRS EFIN suspension.
FTC Safeguards Rule — 8 Required Program Elements (16 CFR § 314.4)
Designate a Qualified Individual
16 CFR § 314.4(a)
GoRefer's per-firm admin role acts as the designated information security point of contact. Admin users have full visibility into access logs, session activity, and document access events.
Conduct a Risk Assessment
16 CFR § 314.4(b)
GoRefer generates a firm-level security posture summary (accessible in the Admin dashboard) showing active sessions, failed login attempts, document access events, and MFA adoption — inputs your Qualified Individual needs for the annual risk assessment.
Design & Implement Safeguards
16 CFR § 314.4(c)
Encryption at rest (AES-256, MongoDB Atlas) and in transit (TLS 1.3). Per-user RBAC with least-privilege. Session timeout enforced at 24 hours. MFA available on all accounts. Extension PII never stored in browser.
Regularly Test & Monitor
16 CFR § 314.4(d)
Tamper-proof hash-chain audit logs record every data access, export, and admin action with timestamps and IP addresses. Brute-force and credential-stuffing detection with automatic lockout. Anomalous session detection.
Train Your Staff
16 CFR § 314.4(e)
Your GoRefer subscription includes access to our Security Awareness resources. Role-based training completion can be tracked in the Admin dashboard for WISP documentation.
Oversee Service Providers
16 CFR § 314.4(f)
All GoRefer subprocessors have executed Data Processing Agreements (DPAs). The subprocessor register is published and updated in the Trust Center. Infrastructure runs on SOC 2 Type II certified cloud providers.
Keep the Program Current
16 CFR § 314.4(g)
Security changelog is public. Material changes to data handling are communicated via email and reflected in updated DPAs. Your firm admin receives security notices relevant to your account.
Create an Incident Response Plan
16 CFR § 314.4(h)
GoRefer maintains a documented Incident Response Plan with P0–P3 severity tiers and defined SLAs. Client notifications follow NIST 800-61r2 and the FTC's 30-day post-discovery disclosure requirement.
IRS Publication 4557 — Safeguarding Taxpayer Data
Written Information Security Plan (WISP)
GoRefer provides a template WISP addendum specifically for tax preparers using cloud-based intake and document management. Covers data classification, access controls, incident reporting, and vendor management sections that reference GoRefer's published security posture.
Encryption of taxpayer data in transit and at rest
TLS 1.3 for all network traffic. AES-256 encryption for all stored data via MongoDB Atlas. Field-level encryption for SSN, EIN, and financial account numbers. Extension sessions never persist PII to browser storage.
Access controls based on business need
Role-based access control with five permission levels. Preparers only see clients assigned to them. Admin role required for data exports, billing changes, and security configuration. All access auditable by timestamp and user.
Multi-factor authentication
TOTP-based MFA available for all accounts. Admin and Super-Admin roles can enforce MFA firm-wide. MFA backup codes are stored hashed. Device trust tokens expire after 30 days.
Secure disposal of taxpayer data
Client data is retained for 90 days post-cancellation then purged. Individual record deletion available via Admin UI. All deletions logged in the audit trail. Document storage is zeroed on deletion (no soft-delete PII).
Employee / contractor access termination
Preparer accounts can be immediately deactivated from the Admin dashboard, revoking all active sessions across web, mobile, and extension simultaneously. Deactivated accounts appear in the audit log with a clear 'access revoked' event.
Vendor due diligence
Subprocessor register published at gorefer.io/trust/subprocessors. All vendors have executed DPAs. Infrastructure providers are SOC 2 Type II certified. Annual vendor security reviews performed.
Incident reporting to IRS
If a security incident affects taxpayer data, GoRefer's IRP includes explicit IRS e-services notification steps aligned with IRS Publication 4557 Appendix C guidance. Preparers receive immediate notification with details needed for their own IRS reporting.
Need a WISP template?
GoRefer provides a pre-filled WISP addendum to GoRefer customers — ready for your firm name and a signature. Contact our team and we'll send it within one business day.
Common Questions
No — the WISP is your firm's document, not GoRefer's. But GoRefer makes it easier to write a compliant WISP by providing the exact technical controls (encryption specs, access control policies, audit log retention, incident SLAs) you need to reference for the sections about data storage, transmission, and cloud vendor management.
GoRefer can provide a written security attestation for your firm that summarizes the technical and organizational controls in place during any given time period. Contact support@gorefer.io to request this.
GoRefer is not a HIPAA-covered entity, but we will sign Data Processing Agreements (DPAs) that meet the same substantive requirements for data handling, breach notification, and subprocessor oversight.
Yes. The extension never stores taxpayer PII in the browser. Data is fetched from GoRefer's encrypted backend at fill time and passed only to the service worker — the extension's sandboxed background process — and then written directly to the tax software form fields. No third party can observe this data flow.
SOC 2 is a third-party audited framework relevant for enterprise buyers and large firms. FTC Safeguards / IRS Pub. 4557 are legal requirements for any tax preparer handling taxpayer data — regardless of firm size. GoRefer is designed to satisfy both. For small-to-mid firms, Safeguards alignment is typically the more actionable proof point; for enterprise deals, SOC 2 Type II is available.
Ready to simplify your Safeguards compliance?
GoRefer gives tax preparers the security controls, audit logs, and documentation they need to satisfy the FTC and IRS — without hiring a security team.
Start Free Trial