Built by Senior SRE Engineers from Upstart, Dynascale & Fortune 500 — 25 years of production SRE experience. Meet the team →

Documented, operated, and ready for your auditor.

Every safeguard on your sovereign CPA client portal is backed by a written procedure — mapped to the exact GLBA and IRS requirement it satisfies. Not a feature list: a documented control program you can produce on request.

Written WISP mapped to FTC §314.4
5 policies · 7 SOPs · 6 programs
Every control tied to a legal obligation
Produced on request for your examiner

The rules your firm is on the hook for.

Before the controls, the requirements. These are the laws, rules, and IRS publications that define what you legally owe your clients.

How we map to each obligation.

For every requirement, a specific control we run in production — not a promise, a mechanism.

Requirement

GLBA / FTC Safeguards Rule §314.4 — access controls & least privilege

Single-tenant isolation + mandatory MFA + per-record anti-IDOR authorization

Requirement

FTC Safeguards §314.4(c) — encryption of customer information

Off-box OpenBao envelope encryption; master keys escrowed off the server

Requirement

IRS Pub 4557 — safeguarding taxpayer data

Single-tenant box, encryption at rest, MFA, and monitored access

Requirement

IRS Pub 5708 — Written Information Security Plan (WISP)

A written WISP mapped element-by-element to FTC §314.4, kept as living documentation

Requirement

FTC Safeguards §314.4(b) — risk assessment

Written Risk Assessment + a living Risk Register reviewed on a schedule

Requirement

FTC Safeguards §314.4(d) — continuous monitoring / logging

Immutable, DB-enforced append-only audit log; centralized logging & monitoring

Requirement

FTC Safeguards §314.4(h) — incident response

Incident Response Plan + breach-notification templates aligned to state law

Requirement

Availability / ransomware resilience

Ransomware-resistant, isolated, verified off-site backups + tested DR plan

Requirement

IRC §7216 — consent to use / disclose taxpayer info

In-portal §7216 consent capture, e-signed and written to the audit trail

Requirement

ESIGN / UETA — enforceable electronic signatures

Our own PAdES e-sign with a court-ready Certificate of Completion

Security isn't a feature we bolt on — it's a documented program.

Here's what we operate and can produce on request.

Written Information Security Plan (WISP)

A full WISP structured to IRS Pub 5708 and mapped element-by-element to FTC §314.4 — the document the IRS requires you to keep, kept as living documentation rather than a one-time PDF.

Policies

5

Information Security Policy (master)

The top-level policy every other control rolls up to.

Acceptable Use Policy

How systems and data may — and may not — be used.

Access Control Policy

Who gets access to what, on a least-privilege basis.

Data Classification & Handling Policy

How each tier of data is labeled, stored, and moved.

Policy Acknowledgement & Attestation

Signed proof that every operator has read and agreed to the rules.

Standard Operating Procedures

7

SOP-01 — Access Control, MFA & Least Privilege

How access is granted, enforced with MFA, and scoped to the minimum needed.

SOP-02 — Encryption & Key Management

How data is encrypted and how off-box keys are generated, rotated, and custodied.

SOP-03 — Logging, Monitoring & SIEM

What we log, how it's monitored, and how anomalies are triaged.

SOP-04 — Backup, DR & Ransomware Resilience

How backups are taken, isolated, verified, and restored under a disaster.

SOP-05 — Incident Response

The steps we run to detect, contain, eradicate, and recover from an incident.

SOP-06 — Vulnerability, Patch & Change Management

How vulnerabilities are found, patches applied, and changes controlled.

SOP-07 — Data Retention & Secure Disposal

How long data lives and how it's securely destroyed when it shouldn't.

Programs & plans

Written Risk Assessment + living Risk Register

A documented assessment kept current as threats and systems change.

Incident Response Plan + breach-notification templates

A ready-to-run plan with pre-drafted notifications aligned to state breach law.

Business Continuity / DR Plan

How service and data are restored, with tested recovery objectives.

Quarterly Access-Review Procedure

A recurring review that confirms every account still needs its access.

Vendor / Subprocessor Register + Vendor Risk Management

A tracked list of every subprocessor and how each one is risk-assessed.

Security Awareness Training + attestation log

Recurring training with a signed record that it was completed.

Built to SOC 2, GLBA FTC Safeguards, and IRS Pub 4557 / Pub 5708 standards. HitDirector is not itself SOC 2 certified, and this page is not legal advice. Your firm's final compliance — including your Written Information Security Plan (WISP) and any §7216 consent language — depends on your own policies and counsel; we give you the documented controls and architecture to build on. Not legal advice — confirm your obligations with counsel.

Every safeguard, a written procedure —and an answer for every auditor.

See the sovereign CPA client portal and the documented control program behind it — single-tenant, off-box keys, your own e-signature, and an immutable audit trail.