Documented, operated, and ready for your auditor.
Every safeguard on your sovereign CPA client portal is backed by a written procedure — mapped to the exact GLBA and IRS requirement it satisfies. Not a feature list: a documented control program you can produce on request.
The rules your firm is on the hook for.
Before the controls, the requirements. These are the laws, rules, and IRS publications that define what you legally owe your clients.
The rules your firm must meet — and how we help you meet them.
Tax and accounting firms that handle taxpayer data are legally required to safeguard it. These are the actual obligations — the laws, rules, and IRS publications that define what “reasonable security” means for your practice.
- IRS Publication 4557 — Safeguarding Taxpayer DataThe IRS baseline for how tax pros must protect client data.
- IRS Publication 5708 — Creating a Written Information Security Plan (WISP)The template and structure for the WISP the IRS requires you to have.
- IRS Publication 1345 — Authorized IRS e-file Providers (security)Security and privacy rules for anyone e-filing returns.
- “Protect Your Clients; Protect Yourself” (Security Six)The IRS's core set of six protections every practice should run.
- IRC §7216 — Consent to disclose / use taxpayer infoYou must capture explicit client consent before using or sharing their data.
- FTC Safeguards Rule — what your business needs to knowThe FTC's plain-language guide to the security program you owe clients.
- 16 CFR Part 314 — the Safeguards Rule textThe actual regulation, element by element (§314.4).
- Gramm-Leach-Bliley Act (GLBA)The federal law that makes tax preparers “financial institutions.”
A WISP is required by the IRS (Pub 5708) to obtain or renew your PTIN, and the FTC Safeguards Rule (under GLBA) applies to tax preparers as “financial institutions.”
Not legal advice — confirm your obligations with counsel.
How we map to each obligation.
For every requirement, a specific control we run in production — not a promise, a mechanism.
Requirement
The control we run
GLBA / FTC Safeguards Rule §314.4 — access controls & least privilege
Single-tenant isolation + mandatory MFA + per-record anti-IDOR authorization
FTC Safeguards §314.4(c) — encryption of customer information
Off-box OpenBao envelope encryption; master keys escrowed off the server
IRS Pub 4557 — safeguarding taxpayer data
Single-tenant box, encryption at rest, MFA, and monitored access
IRS Pub 5708 — Written Information Security Plan (WISP)
A written WISP mapped element-by-element to FTC §314.4, kept as living documentation
FTC Safeguards §314.4(b) — risk assessment
Written Risk Assessment + a living Risk Register reviewed on a schedule
FTC Safeguards §314.4(d) — continuous monitoring / logging
Immutable, DB-enforced append-only audit log; centralized logging & monitoring
FTC Safeguards §314.4(h) — incident response
Incident Response Plan + breach-notification templates aligned to state law
Availability / ransomware resilience
Ransomware-resistant, isolated, verified off-site backups + tested DR plan
IRC §7216 — consent to use / disclose taxpayer info
In-portal §7216 consent capture, e-signed and written to the audit trail
ESIGN / UETA — enforceable electronic signatures
Our own PAdES e-sign with a court-ready Certificate of Completion
Requirement
GLBA / FTC Safeguards Rule §314.4 — access controls & least privilege
Single-tenant isolation + mandatory MFA + per-record anti-IDOR authorization
Requirement
FTC Safeguards §314.4(c) — encryption of customer information
Off-box OpenBao envelope encryption; master keys escrowed off the server
Requirement
IRS Pub 4557 — safeguarding taxpayer data
Single-tenant box, encryption at rest, MFA, and monitored access
Requirement
IRS Pub 5708 — Written Information Security Plan (WISP)
A written WISP mapped element-by-element to FTC §314.4, kept as living documentation
Requirement
FTC Safeguards §314.4(b) — risk assessment
Written Risk Assessment + a living Risk Register reviewed on a schedule
Requirement
FTC Safeguards §314.4(d) — continuous monitoring / logging
Immutable, DB-enforced append-only audit log; centralized logging & monitoring
Requirement
FTC Safeguards §314.4(h) — incident response
Incident Response Plan + breach-notification templates aligned to state law
Requirement
Availability / ransomware resilience
Ransomware-resistant, isolated, verified off-site backups + tested DR plan
Requirement
IRC §7216 — consent to use / disclose taxpayer info
In-portal §7216 consent capture, e-signed and written to the audit trail
Requirement
ESIGN / UETA — enforceable electronic signatures
Our own PAdES e-sign with a court-ready Certificate of Completion
Security isn't a feature we bolt on — it's a documented program.
Here's what we operate and can produce on request.
Written Information Security Plan (WISP)
A full WISP structured to IRS Pub 5708 and mapped element-by-element to FTC §314.4 — the document the IRS requires you to keep, kept as living documentation rather than a one-time PDF.
Policies
5Information Security Policy (master)
The top-level policy every other control rolls up to.
Acceptable Use Policy
How systems and data may — and may not — be used.
Access Control Policy
Who gets access to what, on a least-privilege basis.
Data Classification & Handling Policy
How each tier of data is labeled, stored, and moved.
Policy Acknowledgement & Attestation
Signed proof that every operator has read and agreed to the rules.
Standard Operating Procedures
7SOP-01 — Access Control, MFA & Least Privilege
How access is granted, enforced with MFA, and scoped to the minimum needed.
SOP-02 — Encryption & Key Management
How data is encrypted and how off-box keys are generated, rotated, and custodied.
SOP-03 — Logging, Monitoring & SIEM
What we log, how it's monitored, and how anomalies are triaged.
SOP-04 — Backup, DR & Ransomware Resilience
How backups are taken, isolated, verified, and restored under a disaster.
SOP-05 — Incident Response
The steps we run to detect, contain, eradicate, and recover from an incident.
SOP-06 — Vulnerability, Patch & Change Management
How vulnerabilities are found, patches applied, and changes controlled.
SOP-07 — Data Retention & Secure Disposal
How long data lives and how it's securely destroyed when it shouldn't.
Programs & plans
Written Risk Assessment + living Risk Register
A documented assessment kept current as threats and systems change.
Incident Response Plan + breach-notification templates
A ready-to-run plan with pre-drafted notifications aligned to state breach law.
Business Continuity / DR Plan
How service and data are restored, with tested recovery objectives.
Quarterly Access-Review Procedure
A recurring review that confirms every account still needs its access.
Vendor / Subprocessor Register + Vendor Risk Management
A tracked list of every subprocessor and how each one is risk-assessed.
Security Awareness Training + attestation log
Recurring training with a signed record that it was completed.
Built to SOC 2, GLBA FTC Safeguards, and IRS Pub 4557 / Pub 5708 standards. HitDirector is not itself SOC 2 certified, and this page is not legal advice. Your firm's final compliance — including your Written Information Security Plan (WISP) and any §7216 consent language — depends on your own policies and counsel; we give you the documented controls and architecture to build on. Not legal advice — confirm your obligations with counsel.
Every safeguard, a written procedure —
and an answer for every auditor.
See the sovereign CPA client portal and the documented control program behind it — single-tenant, off-box keys, your own e-signature, and an immutable audit trail.