Security, By Design, For Your Financial Data
At ScaleShift Tax, we treat your financial and tax data with strong security, operational discipline, and clear disclosure about what is live today versus what is still on the roadmap.
Our Security Architecture
Comprehensive protection across every layer of our platform.
Encryption in Transit & at Rest
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Credentials and secrets are stored in a managed key vault — never in plain text.
Indian Data Residency
Your data stays in India. Backend services and the primary database are hosted in Mumbai (asia-south1) to align with RBI and GSTN data-residency expectations for regulated financial data. Our stateless web frontend is served globally via Google's edge network — no customer financial data is stored outside India.
GST Workflow Controls
Our GST workflows are designed around audit trails, proof capture, role controls, and clear visibility into what is prepared, what is manually filed, and what is still pending.
Least-Privilege Data Access
Engineer access to production data is gated behind time-bound, audit-logged approvals — no one on the team touches raw client invoices without explicit authorization and a paper trail.
Granular Access Control
Role-based access control (RBAC) across every dashboard. Firms can scope their staff to specific clients and data so team members only see what they're authorised to handle.
Security-First Engineering
Regular dependency scanning, secret scanning in CI, and a planned third-party penetration test before general availability. SOC 2 Type II is a stated roadmap item, not a current certification.
Compliance Roadmap
ScaleShift Tax is in public beta. We publish the frameworks we're building toward so you can hold us accountable — not the badges we haven't earned yet.
India's Digital Personal Data Protection Act. Consent, breach-notification and data-principal rights flows are being implemented ahead of launch.
Information Security Management. Target audit window: within 12 months of general availability.
Trust Services Criteria across security, availability and confidentiality. Observation period begins post-launch.
Additional direct filing integrations may be added over time. Today, production workflows rely on guided preparation, review, and proof-aware filing controls rather than overstating automation.
Status current as of launch. We'll update this page the moment a framework moves to "certified" — and we'll publish the auditor's name and report scope alongside it.