Security

Last updated: 29 May 2026

At Taxly, security is not an afterthought — it's built into every layer of our platform. We understand that you're trusting us with sensitive financial data, government portal credentials, and personal documents. Here's exactly how we protect them.

✓ Encrypted at Rest ✓ Encrypted in Transit ✓ Tenant Isolated ✓ KMS Credential Protection ✓ WAF Protected

Overview

🔒

Encryption at Rest

All data stored in our databases and file storage is encrypted using AES-256 encryption with AWS-managed keys. Your TaxProMax credentials receive additional KMS encryption with per-user context.

🔐

Encryption in Transit

All connections use TLS 1.2 or higher. HTTPS is enforced on every endpoint. HTTP Strict Transport Security (HSTS) prevents downgrade attacks.

🛡

Data Isolation

Each user's data is isolated at the infrastructure level using IAM-enforced partition keys. Even if application code had a bug, the cloud infrastructure physically prevents cross-user data access.

💪

Access Control

Every API request is authenticated via Cognito JWT tokens. Authorisation is enforced by AWS STS-scoped credentials that restrict each session to the user's own data partition.

Credential Protection

When you provide your TaxProMax username and password, we take extra precautions:

KMS Encryption: Your TaxProMax password is encrypted using AWS Key Management Service (KMS) with a dedicated encryption key before it is stored. The encryption uses a per-user context — meaning a ciphertext from one user's record cannot be decrypted in the context of another user.
Key Rotation: The KMS encryption key is automatically rotated annually by AWS.
Least Privilege: Only two Lambda functions hold KMS decrypt permission — the accountant filing function used to access TaxProMax on your behalf, and the admin user-detail function used internally during manual filing. Bulk admin list queries and all user-facing APIs never receive the decrypted value. Every decryption is logged with the accessing identity and timestamp.
Immediate Deletion: When you delete your account or remove your TaxProMax credentials, the encrypted value is permanently deleted from our database.

Infrastructure Security

Cloud Provider: Amazon Web Services (AWS) — SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 certified
Compute: AWS Lambda (serverless) — no persistent servers to patch or maintain; each function runs in an isolated execution environment
Database: Amazon DynamoDB — fully managed, encrypted at rest, point-in-time recovery enabled
File Storage: Amazon S3 — server-side encryption, block public access enforced, access only via time-limited presigned URLs
CDN: Amazon CloudFront — TLS 1.2+ minimum, HTTP/2 and HTTP/3 support

Application Security

Input Validation: All user input is validated and sanitised server-side before storage. HTML tags are stripped from text fields to prevent stored XSS attacks.
Output Encoding: All data rendered in the browser is escaped to prevent cross-site scripting (XSS).
Content Security Policy (CSP): Strict CSP headers prevent execution of unauthorised scripts.
Rate Limiting: API Gateway throttling and WAF rate-based rules protect against brute-force and denial-of-service attacks.
CORS: Cross-origin requests are restricted to our verified domains only.
Webhook Verification: Payment webhooks are verified using HMAC-SHA512 signatures before processing.

Authentication & Access

Password Policy: Minimum 8 characters, requiring uppercase, number, and special character
Email Verification: All accounts require email verification via a 6-digit OTP code
Session Management: JWT tokens with short expiry; automatic refresh with secure token rotation
Admin Separation: Admin accounts are in a separate Cognito group with distinct authorisation paths — admin credentials cannot access user endpoints and vice versa

Data Isolation Architecture

Taxly uses a single-table DynamoDB design with IAM-enforced tenant isolation:

Each user's data is stored under their unique partition key (userId)
The Lambda authorizer generates STS (Security Token Service) credentials scoped to dynamodb:LeadingKeys = [userId]
This means the temporary credentials issued for your session can only read/write rows belonging to you — enforced by AWS IAM at the infrastructure level, not application code
Even if a bug existed in our application logic, the IAM policy would deny any cross-partition access

Monitoring & Incident Response

Logging: All API requests and Lambda executions are logged via AWS CloudWatch with structured logging (AWS Lambda Powertools)
Tracing: Distributed tracing via AWS X-Ray for performance monitoring and anomaly detection
Alerting: CloudWatch alarms for error rate spikes, throttling events, and authentication failures
Audit Trail: All admin actions (status changes, document verifications) are recorded in an immutable audit log
Incident Response: We maintain an incident response procedure. In the event of a security incident, affected users are notified within 72 hours as required by the NDPA 2023

Compliance

Nigeria Data Protection Act 2023 (NDPA): Full compliance — see our Privacy Policy
AWS Infrastructure Compliance: SOC 2 Type II, ISO 27001, PCI DSS Level 1 (infrastructure level)
Payment Processing: Monnify is PCI-DSS compliant — we never see or store card numbers

Responsible Disclosure

If you discover a security vulnerability in Taxly, we encourage responsible disclosure. Please report it to:

Email: security@taxlytech.com

We ask that you:

Do not access or modify other users' data
Do not publicly disclose the vulnerability before we've had a chance to fix it
Provide sufficient detail for us to reproduce and address the issue

We commit to acknowledging your report within 48 hours and providing a resolution timeline within 7 days.

Questions

For security-related questions or concerns, contact us at security@taxlytech.com.