Documentation/Security & Compliance/Encryption Standards

Encryption Standards

How we protect your sensitive financial data

TuskCPA uses bank-level encryption to protect all client data. Data is encrypted at rest, in transit, and during processing using industry-standard cryptographic protocols.

Encryption Overview

Data at Rest

AES-256 encryption for all stored data. Databases, file storage, and backups are fully encrypted.

Data in Transit

TLS 1.3 for all network communications. Perfect forward secrecy ensures past sessions remain secure.

Key Management

AWS KMS manages encryption keys. Keys are rotated regularly and never stored with encrypted data.

Backup Encryption

All backups encrypted separately with unique keys. Immutable backups prevent ransomware attacks.

Data at Rest Encryption

All data stored in TuskCPA databases and file storage is encrypted using AES-256, the same encryption standard used by financial institutions and government agencies.

What Is Encrypted

  • • Client financial records and tax returns
  • • Personal identifying information (SSNs, EINs, addresses)
  • • Bank account and payment information
  • • Uploaded documents and files
  • • Communication logs and emails
  • • User passwords (hashed with bcrypt, not reversible)
  • • Database records and indices
  • • Application logs (when containing sensitive data)

Encryption Method

AES-256-GCM (Advanced Encryption Standard)

  • • 256-bit key length (2^256 possible keys)
  • • Galois/Counter Mode for authenticated encryption
  • • NIST-approved and FIPS 140-2 compliant
  • • Used by NSA for TOP SECRET information
  • • Computationally infeasible to break with current technology

Data in Transit Encryption

All communication between your browser and TuskCPA servers, as well as between internal services, is encrypted using TLS 1.3.

TLS 1.3 Protocol

  • • Latest version of Transport Layer Security
  • • Perfect forward secrecy (PFS) - past sessions cannot be decrypted even if keys are compromised
  • • Faster handshake process reduces latency
  • • Removes support for outdated cipher suites
  • • Certificate pinning prevents man-in-the-middle attacks

Supported Cipher Suites

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

Key Management

Encryption keys are managed using AWS Key Management Service (KMS), a FIPS 140-2 Level 2 validated hardware security module (HSM).

Key Hierarchy

Master Keys (KMS)

Stored in AWS KMS HSM. Never leave the HSM in plaintext. Rotated automatically every 365 days.

Data Encryption Keys (DEKs)

Generated per-client or per-file. Encrypted by master keys. Rotated every 90 days or on-demand.

Envelope Encryption

Data encrypted with DEKs, DEKs encrypted with master keys. Provides layered security and efficient key rotation.

Key Rotation

Regular key rotation limits the exposure of any single encryption key:

  • Master Keys: Rotated annually (automatic)
  • Data Encryption Keys: Rotated quarterly
  • TLS Certificates: Renewed every 90 days (automatic via Let's Encrypt)
  • User Session Tokens: Expire after 24 hours
  • API Keys: Can be rotated on-demand by account admins

Database Encryption

Our PostgreSQL databases use Transparent Data Encryption (TDE) provided by AWS RDS. All database instances, automated backups, and read replicas are encrypted.

Additional Database Security

  • • Field-level encryption for SSNs, EINs, and bank account numbers
  • • Encrypted database connections (SSL/TLS)
  • • Encrypted transaction logs
  • • No plaintext sensitive data in query logs

File Storage Encryption

All uploaded documents are stored in AWS S3 with server-side encryption (SSE-KMS). Each file is encrypted with a unique key.

File Security Features

  • • Encryption before upload (client-side) for sensitive documents
  • • Server-side encryption with customer master keys (SSE-KMS)
  • • Encrypted file metadata and access logs
  • • Pre-signed URLs with expiration (temporary access)
  • • Versioning enabled with encrypted historical versions

Backup Encryption

Backups are encrypted using separate encryption keys from production data. This ensures that even if production keys are compromised, backups remain secure.

Backup Security

  • • Automated daily backups with encryption
  • • Immutable backups (cannot be modified or deleted for 30 days)
  • • Geo-redundant backup storage in multiple AWS regions
  • • Regular backup restoration tests
  • • Separate AWS account for backup storage (isolation)

Compliance Standards

SOC 2 Type II

Annual audit of security controls including encryption practices

FIPS 140-2

Cryptographic modules validated to federal standards

IRS Pub 1075

Compliance with IRS requirements for tax return data protection

GDPR

Encryption supports data protection and privacy requirements

Security Questions?

Request our full security documentation or schedule a call with our security team.

Contact Security Team
Back to Documentation