Security at Gideon Tax

Gideon Tax is operated by Gideon Solutions, LLC. We file federal tax forms on behalf of taxpayers, so security is a core part of the product, not an add-on. This page describes the practical safeguards we use today and the ones we are working toward. We will say “we use,” “we plan to use,” or “we maintain” depending on what is in place.

Account and access protection

• We use a managed authentication provider for sign-in, password handling, and session management.
• We support and recommend multi-factor authentication for taxpayer accounts.
• Founder/admin accounts that can access taxpayer information are required to have multi-factor authentication enabled.

Encryption in transit

• All traffic to gideontax.com and its subdomains is served over HTTPS using modern TLS.
• We require HTTPS for all taxpayer-facing flows; insecure HTTP connections are redirected.
• Internal connections to managed cloud databases and other backing services use TLS.

Domain and TLS controls

• gideontax.com is registered under Gideon Solutions, LLC at a public-facing registrar with domain lock enabled to prevent unauthorized transfer.
• We plan to use an Extended Validation (EV) TLS certificate for gideontax.com so the certificate identifies Gideon Solutions, LLC by name.
• We monitor certificate expiration and rotate certificates before they expire.

External vulnerability scanning

• We plan to use external vulnerability scanning through an Approved Scanning Vendor (ASV) for our public-facing taxpayer site, in line with IRS Online Provider expectations.
• Findings from scans are tracked, prioritized, and remediated, with critical findings handled first.

Anti-automation controls

• We use Cloudflare Turnstile or a comparable challenge-response control on sign-up, sign-in, and other sensitive flows to make credential stuffing and bulk abuse harder.
• We use rate limiting and bot detection at the edge to block high-volume automated traffic.

Data minimization

• We only ask for the information needed to file the specific federal tax form you are using (for example, the fields required by IRS Form 4868 or Form 2290).
• We do not collect Social Security numbers, EINs, VINs, or similar identifiers for products that do not need them.
• Payment card information is handled by our payment processor; we do not store full card numbers.

Incident reporting

If we determine that taxpayer information has been or may have been accessed, disclosed, or altered without authorization, we will follow our internal incident response plan. That includes notifying the IRS when required (per IRS Publication 1345 and related guidance) and notifying affected taxpayers as appropriate.

If a website-side issue is the cause of an incident, we will stop taxpayer data collection and the affected filing flows until the cause is resolved.

Responsible disclosure

If you believe you have found a security vulnerability in Gideon Tax, please report it to ian@gideonsolutions.us. Please do not test against real taxpayer data, do not run denial-of-service attacks, and give us a reasonable amount of time to respond before disclosing publicly. We appreciate good-faith reports.