How Pitbulltax Protects You
At PitBullTax, the protection of your and your client’s confidential data is our first priority. We value and respect you as a tax professional, and want you to feel confident and comfortable when using our product and entrusting your clients’ personal and business financial data to us.
Safeguarding your Data
- Our staff continuously monitors our security program, reacting immediately to implement necessary changes.
- We constantly assess our system security settings to pro-actively address potential risks.
- Our network transmissions are secure, and all financial information is encrypted.
- Our disaster-recovery plan ensures rapid and secure data retrieval.
- Our servers are fully protected with the latest anti-virus security software available.
- We regularly inspect our system for network susceptibilities, and resolve any possible exposures.
- Our back-ups are stored off-site in secure multiple locations.
- We have an internal auditing system in place to respond to incidents, and test it regularly to ensure it is always “geared up” in the ready mode.
Making certain our staff members protect your data
- All new hires undergo a background check. All workers access credentials are disabled and deleted when they leave our organization.
- All access to critical information is allowed by proper authorization, and only to complete necessary tasks.
- All workers receive extensive privacy and security training when they are hired.
Workers receive additional training for security and privacy at regular intervals.
We take security measures to protect your personal data and information. These measures include technical and preventive steps to protect your data from misuse, unauthorized access, loss, alteration, or destruction.
We work to continually monitor for security vulnerabilities that might affect you and also to inform you about any issues immediately.
Trust Seal provides our customers with security of malware protection and Improved Web site conversions and traffic.
Extended Validation SSL Certificates
Our SSLs use SHA-2 and 2048-bit encryption to stop hackers in their tracks. That’s the strongest encryption on the market today. It’s virtually uncrackable.
Extended Validation SSL Certificates provide the highest level of online assurance for your customers thanks to a process that's standardized across all Certification Authorities. Using the most extensive SSL vetting process available, Extended SSL Certificates are available only to corporations which are legally registered in the U.S., Canada, UK, New Zealand and Australia and verified with a registered status of "Good Standing," "Active" or equivalent. The process verifies the organization's identity and the validity of the request to determine the overall legitimacy of the business.
What are SSL Certificates?
An SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL (Secure Sockets Layer) technology. Encrypting information means scrambling data into an undecipherable format that can only be read and understood with the proper decryption key.
A certificate works as an electronic "passport", establishing an online entity's credentials when performing any transactions on the web. In order to establish a secure connection, this server’s digital certificate is accessed by the user’s browser whenever there’s an attempt to send confidential information to a web server.
Information contained in an SSL certificate:
- The certificate holder's name
- The certificate's serial number and expiration date
- A copy of the certificate holder's public key
- The digital signature of the certificate-issuing authority
How it works
An SSL creates a secure means for confidential information (like usernames, passwords, credit card numbers and more) to pass through safely.
First, the SSL "handshake”
When visitors enter an SSL-protected area of a website, an encrypted connection is automatically created with visitors’ browser.
The padlock icon appears
Once the connection is complete, visitors will see a padlock icon and HTTPS prefix appear in their browser bar to show them it’s safe to share personal details. And our visitor’s status bar will turn green, which means we count with a high-assurance EV Certificate.
You're good to go
Through a 2048-bit encryption, virtually unbreakable by hackers, all the information passing to and from the website has been scrambled for your security.
We care about security as much as you do. And we do it well.
PitBullTax's production software is securely hosted on our servers, and protected with physical security 365 days a year with a full-time security staff, video surveillance and alarms to prevent any high-tech hacks. Our professional staff and automated tools monitor service performance for problems on an ongoing basis. In case of a power cut or complex smoke our secure power supply and backup generators would immediately kick in for protection.
We certify your data is protected and stays private.
Keeping all of your confidential data private and protected is our concern; that´s why we stand on advanced, industry-recognized security protection to guarantee privacy and protection. PitBullTax Software uses a GoDaddy SSL product. GoDaddy is one of the leading secure sockets layer (SSL) Certificate Authority. We have the security elements required to protect your personal data through the use of password-protected logins, firewall protected servers and the same encryption technology (128 bit SSL) used by financial corporations all over the world.
You'll always backup your data.
We will automatically back it up for you. In this way, you get the handiness of automatic offsite storage without having to worry about the extra effort and cost of developing physical backup copies on your own. In case anything happens to your system, you could still access all of your data from any computer connected to the internet.
We value privacy as much as you do.
We care about privacy in everything we do. It's our way to show our customers we respect and value them on a daily basis. We continuously follow a strict set of guidelines and practices to protect all their private information. And, we do not sell or share their information with third parties for their promotional use. For full disclosure of our privacy practices, please read our Privacy Statement.
Server redundancy or mirroring
PitBullTax Software has been available more than 99.7% of the time for the past five years, thanks to our dependable mirror server that is constantly updated to keep an exact replica of the data as a backup. These servers are synchronized over a secured Internet connection. So, your service will not be affected even if one of our primary servers becomes impacted or unavailable for maintenance purposes, which means that, no matter when or where, you can always access your data online.
You are in control.
You can control who accesses your data, and what can actually be seen and done with it too. Each person you invite to use PitBullTax Software must create a unique password which no one can see, not even the CEO of PitBullTax. We also offer multiple permission levels to limit the access privileges of each user. Besides that, you can also download a local copy of your data to your hard drive for more comfort and control on your side.
Everyone is held accountable.
PitBullTax Software offers a unique Activity Log and History Trail. The Activity Log records all activities, and the History Trail lists all changes made. These useful tools record every login to the service and any changes made to every form field, and cannot be turned off by users. So, basically, you will always know what happens to your records, capturing the IP Address with GPS location, user name, client name, action date/time, previous value & new value, status and document/form name. In addition PitBullTax adds a record to the History Trail each time the user logs in and logs out, and includes the IP address and the time of this action. In this case, licensees can monitor who accessed their accounts.
Technical and preventive steps
Cross-site Scripting Prevention
PitBullTax Software incorporates the work of HTMLPurifier, a component capable of removing all malicious code with a thoroughly audited, secure yet permissive whitelist; and which also makes sure the filtered content is standard-compliant.
Cross-site Request Forgery Prevention
Cross-Site Request Forgery (CSRF) attacks happen when a malicious web site triggers a user's web browser to execute an unwanted action on a trusted site. For instance, when a malicious web site has a page that contains an image tag whose src points to a banking site:. If a user who has a login cookie for the banking site visits this malicious page, the action of transferring whatever amount of dollars to someone will be executed.
It is very important to abide to the rule that GET requests should only be allowed to retrieve data rather than modify any data on the server to prevent these CSRF attacks. And in the case of POST requests, these should include some random value which can be recognized by the server to ensure the form is submitted from and the result is sent back to the same origin.
PitBullTax Software implements a CSRF prevention scheme to help prevent POST-based attacks. It is based on storing a random value in a cookie and comparing this value with the value submitted via the POST request.
Cookie Attack Prevention
As session IDs are commonly stored in cookies, protecting them from being attacked is of great importance. If someone gets hold of a session ID, this person essentially owns all relevant session information.
PitBullTax Software executes a cookie validation scheme that protects cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enabled.
For licensees’ safety and privacy, PitBullTax has developed a connector to allow you store your IRS e-services login credentials on your local computer and connect to the IRS to access transcripts data.
Licensees’ login credentials are permanently stored into PitBullTax Connector already installed on their computer. PitBullTax does not store username and password information used to log in to IRS e-services. Neither will these login credentials be ever in the cloud.
This is how your PitBullTax Connector will work:
- Licensees download and install the connector from PitBullTax Software onto their local computer which resides as an icon on their taskbar.
- The request to IRS e-services is then made from the IP address of the licensee’s computer.
- The IRS transcripts are then downloaded to the PitBullTax server which parses the data and creates multiple reports.
- The transcripts and reports stay in PitBullTax servers under the licensees’ document management area.
- Data from the transcripts populate various areas of the licensee’s client’s IRS Forms and tools to provide seamless integration.
Code Encryption Prevention
We utilize Zend Guard to provide additional protection against reverse engineering and technology license. Zend Guard gives IT providers a double layer of protection for applications.
How does Zend Guard work?
By saving the code in a closed format (Zend Intermediate Code), Zend Guard enables PitBullTax developers to protect the source code from any breach of copyright. It also allows PitBullTax to create software solutions and business applications while protecting proprietary PHP expenses and invested intellectual property.
The Zend Guard license used by PitBullTax developers and PitBullTax software can protect their code violations from copyright and limit the use of the license by creating encrypted files. This program generates a unique license based on defined criteria and ensures that the marked files cannot be activated without the license.
Can Zend Intermediate Code files be de-coded back into the PHP source file?
Like encryption, obfuscation can only be decoded using brute-force techniques, which require vast amounts of time and resources to decipher obfuscated code; and the longer the obfuscated string is the less realistic it is to decode it as the number of possible combinations increases exponentially.
Firewalls are simple mechanisms to control access into and out of the company. In PitBullTax, one of the primary jobs of a firewall is to protect the company’s network from internet threats and to enforce company security policies. The security policy will dictate what applications, services, ports and IP addresses are allowed and disallowed via the firewall.
When you take into consideration that this product will be the main entrance point to and from your company you have to ensure you have chosen a solid firewall with a proven reputation. So PitBullTax has chosen to go with CHECK POINT. For the eighteenth consecutive year, Check Point has been positioned in the "Leaders" quadrant in the Magic Quadrant for Enterprise Network Firewalls.
Two Factor Authentication (2FA)
2-Factor Authentication (2FA) is an optional extra layer of security used to make sure that PitBullTax Users trying to gain access to a PitBullTax online account are who they say they are. First, PitBullTax user will enter their username and a password. After receiving a username and password, the site sends user a unique one-time passcode via SMS text message. Then, instead of immediately gaining access, user will be required to enter one-time passcode sent to user's phone via SMS text message.
With 2-Factor Authentication, a potential compromise of just one of these factors (username/password or access to mobile phone) won't unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information are highly unlikely. In an effort to provide more secure and protected software application to all licensees, PitBullTax Software has 2-Factor Authentication available to all users at no additional cost.
For most companies, adherence to any number of regulations and industry standards is a requirement for doing business in a global market. It also can be time consuming, and doesn’t come cheap. That’s why it’s good to have our Data-Center Peak 10 in your corner. They have dedicated compliance officer on staff. Plus, you can leverage our audit-ready server’s, facilities and cloud infrastructure to ensure the security and availability of our applications and data — and help meet your company’s compliance requirements.
When it comes to security and technical controls, the proof is in the certification. Our Data Center has successfully completed the following:
SSAE 16/ISAE SOC 1 Type 2
This dual-standard report is intended to help Peak 10 customers and their auditors in evaluating the effect of the controls at Peak 10 on their financial statement assertions. The SOC 1 report attests that Peak 10’s control objectives are appropriately designed and operating effectively.
Peak 10 is certified under ISO/IEC 27001:2013, which is an auditable international standard that formally outlines requirements for an Information Security Management System (ISMS) to help protect and secure an organization’s data.
SOC 2 Type 2
The SOC 2 report is an attestation report that provides an evaluation of controls specific to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, and availability.
SOC 3 Type 2
The SOC 3 report is a Trust Services Report, and is designed to meet the needs of Peak 10 customers that want assurance about Peak 10’s controls related to security and availability but do not need the level of detail provided in a SOC 2 Report
Level 1 Service Provider under PCI DSS
Peak 10 is certified under PCI DSS as a Level 1 service provider. This means that Peak 10 data centers, cloud infrastructure operations are PCI DSS compliant.
U.S. Department of Commerce Safe Harbor Program
Peak 10 is certified under the U.S. Department of Commerce Safe Harbor Program, known as the U.S.-EU Safe Harbor Framework “Safe Harbor”).
HIPAA / HITECH Security Rule Compliance Report (AT 101)
Peak 10 data centers and cloud infrastructure meet the stringent requirements for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. We have implemented the physical, technical, and administrative safeguards to ensure that confidential electronic protected health information (ePHI) is secure.
In addition, Peak 10 holds the following:
- Cisco Cloud Provider Certification with a Cisco Powered Cloud Infrastructure-as-a-Service (IaaS) designation
- Cisco Powered Disaster Recovery as a Service (DRaaS) designation under the Cisco® Cloud and Managed Services Advanced Certification
Our Data-Center is Audit Ready:
- Statement on Standards for Attestation Engagements (SSAE 16)
- Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes-Oxley (SOX)
- Food and Drug Administration (FDA)
- U.S.-EU Safe Harbor (European Commission’s Directive on Data Protection)
- ISO/IEC 27001:2013
- Gramm-Leach-Bliley (GLBA)
- International Traffic in Arms Regulations (ITAR)
- Federal Information Security Management Act (FISMA)
We Make Compliance Easy
Certification reports and other documentation is available to PitBullTax customers. If you would like to review our Audit certificates, please send a formal request to firstname.lastname@example.org including your full contact details ans reason for request. Contact us to learn more.
Questions & Answers
For your convenience, we are providing answers to the most frequently asked questions regarding our security.
What standards or compliance certifications do PitBullTax hold?
PitBullTax is compliant with the following certifications:
- SSAE-16/ISAE SOC 1 Type 2
- ISO 27001
- SOC 2 type 2
- SOC 3 Type 2
- PCI DSS
- U.S Department of Commerce Safe Harbor Program
- HIPAA/HITECH Security Rule Compliance report (AT 101)
Does PitBullTax use a third-party hosting facility for our data? If so, do they have any certifications such as (SSAE-16, SOC, ISO)?
Yes, the hosting facility we use is compliant with all of the above outlined certifications.
Are PitBullTax employees trained on the policies and procedures on how to handle security incidents?
PitBullTax employees undergo security training upon hiring and throughout their tenure at PitBullTax.
Do PitBullTax have a disaster recovery plan and if so, what is the frequency of testing?
Yes, conducted monthly.
What are the back-up procedures for the data we collect and when are restores tested?
We schedule a full database backup every day. We test the backup data monthly.
Does PitBullTax conduct external third-party security assessments and audits and how often?
Review of certifications are conducted quarterly.
What measures are in place to ensure that your data is secure?
- SSL data transport
- Encryption of all personal data in the data base
- Two Factor Authentication
What happens to our data if we did not renew our license?
It is stored for seven (7) years in for reinstatement purposes.
Will PitBullTax sign a non-disclosure agreement?
Yes, upon request.
Does PitBullTax have a documented incident response process?
Yes, last updated on 2019 and reviewed annually.
Is always our data encrypted?
Will our backed-up data be stored securely offsite?
Where is our data stored?
In an encrypted data base.
Has PitBullTax ever had a security breach?
How will we be notified in case of a security breach?
We will email to all our users stating the breach, scope, consequences, and the necessary steps our licensees need to take?
What is your track record for availability/downtime?
Over the last 5 years PitBullTax has been “up” 99.7% of the time.
How will we access our data?
Via web-interface of web-application.