Security

Tax data is sensitive. We treat it that way.

Four commitments we don't bend, six controls behind them, and a stack chosen so the answer to "is my data in South Africa?" is always yes.

Reserve your spot

Audit log

4,228 events

Append-only

you14:32:11
uploaded statement
FNB-business-feb-2026.pdf
284 KB · sha-256:9f4a…2b1d
system14:32:14
parsed statement
47 transactions
model: claude-sonnet-4.5
system14:35:08
categorised
Vodacom airtime
Comms · 92% confidence
you14:36:42
re-categorised
Discovery Health
Office → Medical

+ 4 more events · hash-chained

autotax.co.za/dashboard/audit-log

Audit log

Tax year 2026 · 4,228 events

Append-only

Export CSV

TimestampActorActionTargetDetail

2026-02-27 14:32:11youuploaded statementFNB-business-feb-2026.pdf284 KB · sha-256:9f4a…2b1d
2026-02-27 14:32:14systemparsed statement47 transactionsmodel: claude-sonnet-4.5
2026-02-27 14:35:08systemcategorisedVodacom airtimeComms · 92% confidence
2026-02-27 14:36:42youre-categorisedDiscovery HealthOffice → Medical
2026-02-27 14:36:42systemlearned ruleDiscovery Health* → Medicalapplied to 3 future transactions
2026-02-27 14:42:01systemrecomputed taxIRP6 P2R 14,387.20 · 12 checks passed
2026-02-28 09:14:22yousubmittedIRP6 Period 2 — Tax year 2026ack: SARS-2026-IRP6-A04F2D
2026-02-28 09:14:23systemsealed audit chunkblock #4,228hash: 7c1e…4a09 · prev: 9d33…e2f7

Append-only · no edits, no deletes · hash-chainedShowing 8 of 4,228 · live

The four commitments

What we promise, in plain words.

Read-only bank access

We have read-only access to your bank data. We cannot move your money.

Your SARS password stays yours

Your SARS password is never shared with us.

24-hour deletion

Your statements are deleted within 24 hours of processing.

Data resident in South Africa

All your data stays in South Africa.

Controls

Six controls behind the four commitments.

Column-level AES-256-GCM encryption

Sensitive fields — tax numbers, ID numbers, transaction amounts, descriptions, counterparties, tax calculations — are encrypted at the column level. A database dump alone is useless. The master key lives in Fly secrets and Cloudflare Worker secrets, never in source control.

Per-user data isolation

Every API query is scoped by the authenticated user ID. Even an internal bug cannot cross account boundaries. Audit logs verify this is enforced on every read.

Append-only audit log

Every action taken on your account is recorded — when, by whom, against which return. The audit log is append-only at the database level: updates and deletes raise exceptions, not silent overwrites.

Passkey-only authentication

autotax doesn't have passwords. We use WebAuthn passkeys via Better Auth — your device, your biometrics. MFA is required before a new bank upload, a return submission, or changing payout details.

PDF lifecycle: 24 hours

Statements you upload are stored in Cloudflare R2 (the JNB-resident bucket), encrypted at rest, and deleted automatically 24 hours after a successful parse — both by an R2 lifecycle rule and by an explicit cleanup job. Only the derived transactions remain.

PII-scrubbed observability

Sentry and our application logs scrub IDs, tax numbers, and financial amounts at the logging middleware before anything leaves the application. Stack traces never carry your data.

The stack

Where your data actually lives.

Most SA SaaS products either send your data abroad or stay vague about where it goes. We've picked a stack so the honest answer is concrete.

Database: Postgres on Fly.io Johannesburg
Object storage: Cloudflare R2 (24h lifecycle)
Application runtime: NestJS on Fly.io JNB
Transport: TLS 1.3 only
Auth: Better Auth (passkey-only)
LLM: Anthropic Claude — no training on your data

Found a vulnerability?

Email security@autotax.co.za. We acknowledge within 48 hours. At public launch we'll run a formal bug-bounty programme; until then we'll thank you in person.

Trust, but verify.

The full security model is here for a reason. Read it. Then reserve your spot.

Reserve your spot Privacy & POPIA