THE FINACEAL ADVANTAGE
SECURITY
We Protect Your Clients' Data Like It's Our Own
We handle tax returns, payroll records, and financial statements. Our security program is a documented, enforced, multi-layered operating standard, aligned to the same frameworks used by US government agencies and critical infrastructure operators.
Security Architecture
Six Layers of Protection Around Every Client File
From the moment work enters our workflow to the moment it is completed and returned to the CPA firm. Every stage is covered by overlapping, independently enforced controls.
Access Control
MFA on every account. Role-based permissions ensure each team member accesses only their assigned clients. Least-privilege principle throughout. All access revoked immediately on departure.
Encryption
AES-256 at rest across all cloud storage. TLS 1.2+ for all data in transit. Full-disk encryption on every company device. Client documents via encrypted portals only.
Client Data Isolation
Each CPA firm's data lives in a dedicated, permission-controlled environment. Cross-client data access is architecturally prevented. No commingling at any level.
Physical Security
Biometric-controlled access to restricted work areas. CCTV monitoring. Clean desk policy enforced at all times. No personal devices in client work areas.
Personnel Security
NDA signed before day one. Mandatory security training before any client data access. Annual phishing simulations. Full 20-point access revocation checklist on every departure.
Incident Response
Written 7-phase Incident Response Plan. 24-hour breach notification to CPA firm partners. Defined escalation chain to CEO and legal counsel. Annual internal security audit.
Implemented Controls
What We Have Actively In Place
Verified through our annual internal security audit. Every item below is operational.
IDENTITY & ACCESS
Multi-Factor Authentication: All Accounts
Enforced on accounting software, cloud storage, email, payroll platforms, and practice management. No exceptions.
Role-Based Access Control (RBAC)
Team members access only their assigned CPA firm clients. Least-privilege. Reviewed and confirmed annually.
Enterprise Password Manager
Company-wide deployment. Minimum 16-character unique passwords. Zero password reuse across any account.
VPN: ISO 9001 Certified ISP
All remote access routed through VPN via an ISO 9001 certified internet service provider. No exceptions.
Credential Breach Monitoring
Company domain continuously monitored for exposure in known breach databases. Alerts trigger immediate password rotation.
20-Point Offboarding Checklist
Every system access revoked on the last working day without exception, across every platform.
DEVICE & NETWORK
Antivirus: All Company Devices
Real-time scanning, automatic definition updates, and weekly full-system scans active on every device.
Full-Disk Encryption
BitLocker (Windows) and FileVault (macOS) on every device. Lost hardware cannot expose readable data.
Device Firewall
Host-based firewall active on all devices, blocking unauthorized inbound connections.
DNS Filtering
Network-level filtering on all devices and the office router, blocking malware and phishing domains.
Automatic OS Patching
Critical patches within 48 hours. Routine updates within monthly cycle. Compliance verified annually.
No Personal Device Policy
All client work exclusively on company-managed, encrypted devices. Zero exceptions permitted.
DATA SECURITY
AES-256 Encryption at Rest
All client data in certified cloud environments. All devices encrypted. No local-only data copies.
TLS 1.2+ Encryption in Transit
Client documents via encrypted portals only. Unencrypted email transmission of client data prohibited.
Email Domain Security (DMARC/DKIM/SPF)
Domain fully protected against spoofing and impersonation. Verified via DNS audit.
Data Handling & Secure Disposal Policy
Our preferred model is working entirely within the CPA firm's systems, meaning no client data resides on our side. Where files are received directly, they are stored in encrypted access-controlled storage during the engagement and securely deleted within 30 days of delivery, confirmed in writing.
PEOPLE & PROCESS
Security Awareness Training
Mandatory before first client access. Annual refresher. Training logs maintained by name and date.
Annual Phishing Simulations
Results tracked year-on-year. Failed simulations trigger immediate additional training.
NDA + Confidentiality Agreement
Signed by every employee before day one. Covers non-disclosure, data return, and non-solicitation of CPA firm clients.
Annual Internal Security Audit
Full audit covering access logs, device compliance, policy adherence, and physical security. Findings tracked to closure.
Business Continuity & Disaster Recovery Plan
Written BC/DR Plan in place and tested annually to ensure continued service delivery after any disruption.
Vendor Security Assessment Register
All platforms assessed before handling client data. SOC 2 Type II certification required as minimum approval standard.
We Work Inside Your Systems, Which Are Already Compliant to Your Standards
Finaceal does not require you to use a separate external system. We work inside the platforms your CPA firm already uses: Drake Tax, Lacerte, QuickBooks Online, TaxDome, and others. We log in under a standard user account, do the work inside those systems, and log out. In this model, no client data resides on Finaceal's systems. There is nothing to retain, and no data disposal obligation arises on our side when the engagement ends.
In cases where a CPA firm sends source documents directly to us, such as PDF bank statements, tax prep packages, or payroll files, those files are held in our encrypted, access-controlled cloud storage during the engagement only, then securely deleted within 30 days of the completed work being delivered.
Our team is granted standard user-level access, never admin access, never EFIN or PTIN credentials. We prepare the work, you review and sign. Your credentials. Your authority. Your client relationship.
What Finaceal Adds On Top
- Biometric access control and CCTV at our premises
- Personnel vetting, NDA, and security training program
- Antivirus, full-disk encryption, and VPN on all devices
- Internal security policies
- Written Incident Response Plan with 24-hour breach notification
- Annual internal security audit with documented findings
- Business Continuity & Disaster Recovery Plan
- Signed Internal Security Policies
Our Role: Complete Transparency
How We Fit Into Your
Legal and Filing Structure
CPA firms ask us about this directly, and we welcome that. Here is our exact role, clearly and honestly explained.
What Finaceal Does
We prepare draft tax returns, reconcile books, process payroll data, and build financial reports. Every piece of work we produce is returned to the CPA firm for professional review before it goes anywhere near a client or the IRS.
We are a preparation and support service. We make the work ready. The CPA reviews, approves, signs, and files. The CPA's PTIN appears on every return. The CPA's professional judgment governs every tax position. Our work is the input. The CPA's review is the output that reaches the client.
Finaceal staff do not hold PTINs and do not sign or file any return. We do not communicate with clients. We do not represent clients before the IRS. These are the exclusive domain of the licensed CPA partner.
This model is the standard operating structure for offshore tax preparation support, recognized and permitted under IRS offshore outsourcing guidance. The IRS has confirmed since 2006 that foreign outsourcing of tax preparation support is not prohibited, provided the CPA firm obtains written client consent under IRC section 7216.
How Software Access Works
CPA firms do not share their PTIN credentials with us. PTINs are individual identifiers and are never shared with anyone. Instead, the CPA firm creates a standard user account for our team inside their tax software (Drake, Lacerte, ProSeries), exactly as they would for an internal staff member or junior associate.
Our team logs in under that user account, prepares the return, and marks it ready for review. The CPA then opens the completed return, conducts their professional review, enters their own PTIN, and signs and transmits the return under their own credentials. Our work is preparation support. The CPA's PTIN is what appears on the filed return.
For bookkeeping, the process is identical. The CPA firm grants us access to their client's QuickBooks or Xero account at the user level, we work inside that environment, and the CPA reviews and approves before anything reaches the client.
This model is the standard operating structure for offshore tax preparation support, recognized and permitted under IRS offshore outsourcing guidance. The IRS has confirmed since 2006 that foreign outsourcing of tax preparation support is not prohibited, provided the CPA firm obtains written client consent under IRC section 7216.
IRS Compliance Program
Comprehensive IRS Compliance Measures at Finaceal
Verified through our annual internal security audit. Every item below is operational.
Written Information Security Program (WISP)
Maintained and reviewed annually. Satisfies IRS Publication 4557 requirements and the FTC Safeguards Rule obligations applicable to our service provider role.
Annual Risk Assessment & Risk Management Plan
Formal risk assessment conducted each year. Findings documented and used to update controls before the following tax season.
Third-Party Vendor Assessment
All vendors assessed before granting access to client data. Only SOC 2-certified platforms approved. Register reviewed annually.
Access Controls: RBAC + MFA + Annual Account Review
Role-based access, mandatory MFA, and annual review of all user accounts to minimize unauthorized access risk.
Encryption + Data Classification + Data Handling
AES-256/TLS 1.2+ encryption. Formal data classification policy. Where files are received directly, secure deletion within 30 days of deliverable acceptance. Where we work within the CPA firm's systems, no client data resides on our side, so no disposal obligation arises.
Hardware Inventory + Network Segregation
Device inventory maintained. Work network fully segregated from personal and guest traffic. Reviewed in annual audit.
Security Training + Annual Phishing Simulations
Mandatory onboarding training and annual refresher. Phishing simulations test readiness. High-risk roles receive additional training.
Incident Response + IRS Breach Notification
Written IRP with defined procedures. IRS notified of any breach involving taxpayer data per IRS Publication 5293. Post-incident reviews strengthen future defenses.
Business Continuity & Disaster Recovery Plan
Written BC/DR Plan maintained and tested annually, ensuring continued service delivery following any operational disruption.
Password Policy + Annual Internal Audit + Policy Review
Enforced password standards, annual internal security audit, and annual review of all written policies to close any identified gaps.
Draft-Only Preparation Model: CPA Signs All Returns
Finaceal prepares draft returns for CPA review. No return is filed without the CPA's professional review and signature under their own credentials. We are a preparation support service, not a filing service.
Emerging Technology Evaluation
New tools evaluated against security and compliance requirements before adoption. No platform handles client data without Operations Manager approval and vendor assessment.
Physical Security
Controlled Physical Environment
at Our Premises
Access to our office premises and restricted work areas is managed, monitored, and enforced.
Biometric Access Control
Restricted work areas require biometric authentication. Unauthorized physical entry to client work areas is not possible.
CCTV Monitoring
Physical premises monitored by CCTV surveillance. Footage retained in line with applicable privacy regulations.
Clean Desk & Screen Policy
No client documents visible when not in active use. Screens away from visitor areas. All documents secured at close of business.
Visitor Restrictions
Visitors are not permitted in client work areas. Workstations secured before any visitor enters restricted areas.
No Hard Copy Downloads. Shredding Policy
Our standard workflow does not involve printing client data. In the rare event any document is printed for internal review or process reasons, it is cross-cut shredded immediately after use and never placed in standard waste.
No Personal Devices in Work Areas
Personal phones and laptops prohibited in all client work areas. Company-managed encrypted devices only.
Written Policies
We have Signed Internal Security Policies
Aligned to Industry-Standard Security Frameworks
Our security program is designed and maintained in alignment with three widely recognised security frameworks. Detailed mapping documentation is maintained internally for each.
NIST CSF
NIST CYBERSECURITY FRAMEWORK
Our security program maps to all five CSF functions: Identify, Protect, Detect, Respond, and Recover. 35 controls mapped across the full framework.
✓ 94% COVERAGE ACROSS ALL FIVE FUNCTIONS
CIS CONTROLS V8
CIS CRITICAL SECURITY CONTROLS
All 18 CIS Controls implemented at IG1/IG2 level. Every foundational Basic Cyber Hygiene control (IG1) fully deployed across all company devices and accounts.
✓ ALL IG1 BASIC CYBER HYGIENE CONTROLS DEPLOYED
FTC SAFEGUARDS
FTC SAFEGUARDS RULE: 16 CFR PART 314
Our WISP satisfies the updated Safeguards Rule. CPA firms can reference our compliance documentation to fulfil their §314.4(f) service provider oversight obligation.
✓ ALL 9 RULE SECTIONS ADDRESSED
Get in Touch About Our Security Program
CPA firms conducting vendor due diligence are welcome to speak directly with our Operations & Compliance Manager about our security measures, framework alignment, and how we protect client data in practice. We welcome any security conversation.