AgentTax
Network
Blog
API Docs
Log In

Security & Reliability

Last Updated: April 2, 2026

1. Authentication & API Key Security

  • API keys use the atx_live_ prefix and are SHA-256 hashed before storage. The raw key is shown once at creation and cannot be retrieved afterward.
  • Keys are passed via the X-API-Key header or Authorization: Bearer header. Never embed keys in URLs or client-side code.
  • Passwords are verified using PBKDF2 with 100,000 iterations (SHA-512) and timingSafeEqual for constant-time comparison. We do not use bcrypt.
  • Session tokens should be stored securely. We recommend HttpOnly cookies for web applications.
  • You can revoke and rotate keys anytime from your dashboard or via the API.

2. Data Handling & Privacy

  • Transaction data is stored in Neon Postgres with TLS encryption in transit.
  • EIN (Employer Identification Numbers) are encrypted at rest with AES-256-CBC. The system fails closed — if the encryption key is not set, EIN operations are rejected entirely.
  • We do not sell, share, or monetize your transaction data. Period.
  • We do not store passwords in plaintext — they are hashed with PBKDF2 as described above.
  • API keys are hashed before storage — we cannot see your raw keys after creation.

For full details on how we collect and use data, see our Privacy Policy.

3. What We Don't Store

  • Credit card numbers — handled entirely by Stripe. Card data never touches our servers.
  • Social Security Numbers — we do not collect or store SSNs.
  • Raw passwords — only PBKDF2 hashes are stored.
  • IP addresses in transaction logs — transaction records do not include client IP addresses.

4. Rate Limiting & Abuse Protection

  • Monthly call limits are enforced per API key based on your plan tier: Free (100), Starter (10K), Growth (100K), Pro (1M).
  • Exceeding your monthly limit returns HTTP 403.
  • Burst rate limiting returns HTTP 429 with a Retry-After header.
  • Response headers on every request: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.
  • Demo mode (no API key) is limited to prevent abuse.

See Pricing for plan details and limits.

5. Infrastructure & Uptime

  • Hosted on Vercel's edge network — automatic global distribution, DDoS protection, and SSL termination.
  • Database: Neon Postgres (serverless) with automatic connection pooling.
  • No single point of failure — serverless functions scale automatically.
  • Health endpoint: GET /api/v1/health — returns current status, database connectivity, and engine version.
  • Target uptime: 99.9%. Current uptime since launch: 100%.

6. CORS & Access Control

  • Authentication endpoints (signup, login) have restricted CORS — browser requests are accepted only from agenttax.io.
  • API calculation endpoints have wildcard CORS — designed for server-to-server agent calls.
  • This is intentional: agents calling from any origin should work; browser-based credential flows should not.

7. Data Retention & Deletion

  • Transaction data is retained for the duration of your account plus 7 years (IRS record-keeping requirement for tax data).
  • You can request account deletion by emailing Beardsley@agenttax.io. We will delete your account and API keys within 30 days, subject to legal retention obligations for tax records.
  • Rate verification logs are retained indefinitely as part of our audit trail.

8. Responsible Disclosure

If you discover a security vulnerability, please report it to Beardsley@agenttax.io.

  • We take all reports seriously and will respond within 48 hours.
  • We will not pursue legal action against good-faith security researchers.
AgentTax
Tax intelligence for AI-driven commerce. 50-state coverage, verified daily.

© 2026 Agentic Tax Solutions LLC. Tax rates verified daily against Tax Foundation, Sales Tax Institute, state DOR websites, Anrok, TaxJar, TaxCloud, and Kintsugi. AgentTax provides tax calculations for informational purposes only. Consult a qualified tax professional for compliance decisions.