5472Form5472 Prep

Information Security Policy

Last updated: 2026-05-20

Version 1.0

1. Purpose & Scope

This policy governs how Form5472 Prep (“the Company”) protects customer information, including bank transaction data accessed via Plaid, used in the preparation of IRS Form 5472 and pro forma Form 1120 filings.

2. Data Classification

  • Highly sensitive: customer banking credentials (never stored — Plaid handles authentication directly with the financial institution), bank transaction data, government identifiers (EIN, ITIN), tax filing PDFs.
  • Sensitive: customer email, address, LLC details.
  • Internal: application logs, infrastructure metadata.

3. Access Control

  • Production systems and data are accessible only to authorized personnel.
  • All access to admin systems requires authentication via password and session token.
  • Vendor consoles (Vercel, Cloudflare, Plaid, Stripe, Resend) are protected by strong unique passwords and two-factor authentication.
  • No customer banking credentials are ever stored — Plaid handles authentication directly with financial institutions; we only receive scoped access tokens.

4. Encryption

  • All data in transit is encrypted via TLS 1.2+ (HTTPS enforced).
  • Data at rest in our managed PostgreSQL database is encrypted (encryption-at-rest enabled).
  • File storage (Cloudflare R2) uses server-side encryption.
  • All secrets (API keys, database URLs) are stored in encrypted environment variables, never in source code.

5. Vendors & Sub-processors

We use the following SOC 2 / ISO 27001 compliant infrastructure providers:

  • Vercel — application hosting
  • Cloudflare R2 — file storage
  • Plaid — bank account connectivity
  • Stripe — payment processing
  • Resend — transactional email
  • Managed PostgreSQL database

We do not share customer data with any third party other than for the purpose of completing the customer's filing or processing their payment.

6. Data Retention & Deletion

See our Data Retention Policy for the full schedule. Bank transaction data pulled via Plaid is used solely to prepare the customer's filing and may be deleted on customer request. Customers may request deletion of their account and data at any time via the customer portal or by emailing support@form5472prep.com.

7. Incident Response

  • Production errors are monitored via Vercel logs and alerting.
  • In the event of a confirmed data breach, affected customers will be notified within 72 hours via email, and relevant regulators (including Plaid, where applicable) will be notified per applicable law.
  • Suspected security issues should be reported to security@form5472prep.com.

8. Software Development

  • All code is version-controlled in a private repository.
  • Production deployments require successful CI build (type checks, lint, tests).
  • Dependencies are scanned for known vulnerabilities via the package registry.

9. Personnel Security

  • Employees and contractors with access to systems sign confidentiality agreements.
  • Access is granted on a need-to-know basis and revoked immediately upon offboarding.

10. Policy Review

This policy is reviewed annually and updated as the business grows.