Early access · The product is in development. Join the waitlist to be in the first cohort.Join the waitlist
Gideon KeepGet early access

Security

Built with your data taking it seriously.

Tax data is more sensitive than most software touches. Here's exactly what we do, in plain English. This page is updated as our practices evolve.

Encryption

  • SSN, ITIN, EIN, and bank routing/account numbers are encrypted at the field level with envelope keys. Decryption happens only on demand and is logged.
  • Every other data field is encrypted at rest via database-level encryption.
  • Receipts and documents are stored in object storage with per-account encryption keys.
  • All traffic uses TLS 1.3 in transit.

Access control

  • Two-factor authentication is available to every user and required for Business plan accounts.
  • Employee access to user data follows least-privilege rules. Every access is logged in an immutable audit trail.
  • Background checks for any employee with access to PII.
  • Anomaly detection on login patterns triggers step-up auth and an email notification to you.

Where your data lives

  • US-based hosting. US-based team. We do not transfer your tax data outside the United States.
  • Cross-region backups encrypted with per-account keys. Restore is tested quarterly.
  • Documented recovery objectives: RPO ≤ 24 hours, RTO ≤ 4 hours.

What we will never do

  • Sell your data.
  • Share your data with advertisers or data brokers.
  • Use your tax records to train AI models — ours or anyone else's.
  • Read your documents for content beyond extracting fields you asked us to extract.
  • Respond to a subpoena without first notifying you, unless legally prohibited.

Your rights

  • Export everything. One click — a ZIP of your records, documents, and audit log.
  • Delete everything. One click. We retain records for 90 days after cancellation, then permanently delete them. Records under litigation hold are an exception that we'll disclose to you.
  • See what we did. Your audit log is visible to you, not just to us.

Compliance and audits

  • SOC 2 Type 1 in progress; Type 2 audit follows public launch.
  • Written Information Security Plan (WISP) per IRS Publication 4557.
  • Annual third-party penetration test; quarterly internal vulnerability scans.
  • Vendor security questionnaires for every third party that touches user data.

Reporting a vulnerability

Found something? Email security@gideonkeep.com. We respond quickly and we won't sue researchers acting in good faith.