AgentTax

Security & Reliability

Last Updated: April 2, 2026

1. Authentication & API Key Security

  • API keys use the atx_live_ prefix and are SHA-256 hashed before storage. The raw key is shown once at creation and cannot be retrieved afterward.
  • Keys are passed via the X-API-Key header or Authorization: Bearer header. Never embed keys in URLs or client-side code.
  • Passwords are verified using PBKDF2 with 100,000 iterations (SHA-512) and timingSafeEqual for constant-time comparison. We do not use bcrypt.
  • Session tokens should be stored securely. We recommend HttpOnly cookies for web applications.
  • You can revoke and rotate keys anytime from your dashboard or via the API.

2. Data Handling & Privacy

  • Transaction data is stored in Neon Postgres with TLS encryption in transit.
  • EIN (Employer Identification Numbers) are encrypted at rest with AES-256-CBC. The system fails closed — if the encryption key is not set, EIN operations are rejected entirely.
  • We do not sell, share, or monetize your transaction data. Period.
  • We do not store passwords in plaintext — they are hashed with PBKDF2 as described above.
  • API keys are hashed before storage — we cannot see your raw keys after creation.

For full details on how we collect and use data, see our Privacy Policy.

3. What We Don't Store

  • Credit card numbers — handled entirely by Stripe. Card data never touches our servers.
  • Social Security Numbers — we do not collect or store SSNs.
  • Raw passwords — only PBKDF2 hashes are stored.
  • IP addresses in transaction logs — transaction records do not include client IP addresses.

4. Rate Limiting & Abuse Protection

  • Monthly call limits are enforced per API key based on your plan tier: Free (100), Starter (10K), Growth (100K), Pro (1M).
  • Exceeding your monthly limit returns HTTP 403.
  • Burst rate limiting returns HTTP 429 with a Retry-After header.
  • Response headers on every request: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.
  • Demo mode (no API key) is limited to prevent abuse.

See Pricing for plan details and limits.

5. Infrastructure & Uptime

  • Hosted on Vercel's edge network — automatic global distribution, DDoS protection, and SSL termination.
  • Database: Neon Postgres (serverless) with automatic connection pooling.
  • No single point of failure — serverless functions scale automatically.
  • Health endpoint: GET /api/v1/health — returns current status, database connectivity, and engine version.
  • We monitor uptime internally and target high availability. Formal Service Level Agreements are available for Enterprise customers upon request at legal@agenttax.io.

6. CORS & Access Control

  • Authentication endpoints (signup, login) have restricted CORS — browser requests are accepted only from agenttax.io.
  • API calculation endpoints have wildcard CORS — designed for server-to-server agent calls.
  • This is intentional: agents calling from any origin should work; browser-based credential flows should not.

7. Data Retention & Deletion

  • Transaction data is retained for the duration of your account plus 7 years (IRS record-keeping requirement for tax data).
  • You can request account deletion by emailing security@agenttax.io. We will delete your account and API keys within 30 days, subject to legal retention obligations for tax records.
  • Rate verification logs are retained indefinitely as part of our audit trail.

8. Responsible Disclosure

If you discover a security vulnerability, please report it to security@agenttax.io.

  • We take all reports seriously and will respond within 48 hours.
  • We will not pursue legal action against good-faith security researchers.