Tax data handled with the care it deserves.
Grove is built for the most sensitive data your firm touches — SSNs, K-1s, financial accounts, dependent records. Our security program is designed around the assumption that we hold information attackers will pay for, and the obligations the IRS, FTC, and state boards place on those who hold it.
Built to the standards tax data actually demands.
Grove’s security program is built around the AICPA Trust Services Criteria and the federal and state requirements that specifically govern tax preparers handling taxpayer data. SOC 2 Type II attestation is on our near-term roadmap.
Grove’s controls are designed against the Security, Availability, and Confidentiality criteria. We’re preparing the program for formal SOC 2 Type II audit, and are happy to share our security questionnaire and current control evidence under NDA in the meantime.
Grove provides the technical foundation firms need to satisfy the IRS’s Written Information Security Plan (WISP) requirement — encryption, access controls, monitoring, and audit logs out of the box.
We operate as a service provider under the Safeguards Rule. Our information security program is built around the controls the rule expects of providers handling financial data.
Service-provider obligations under the California Consumer Privacy Act and California Privacy Rights Act. Data-subject requests are honored within the statutory window.
Grove tracks state-level privacy laws applicable to tax-preparer service providers across the United States, including breach-notification statutes.
ISO 27001 is on our roadmap once our SOC 2 program reaches steady state. We design our controls today with the ISO 27001:2022 Annex A framework in mind.
How we think about your data.
Three commitments shape every product and infrastructure decision we make. They’re what makes the controls below mean something.
Your data is not training data.
Customer Data is never used to train Grove’s models or any third-party model. We use commercial API tiers from our LLM providers where data is not retained for model training.
Least access, by default.
Access to customer tax data inside Grove is scoped to the smallest set of people who need it, gated by MFA, and logged. We design for the day we have to prove it — not the day we’re asked.
Encrypted everywhere it lives.
Customer Data is encrypted in transit (TLS 1.3) and at rest (AES-256). The most sensitive fields — SSNs, ITINs, EINs, IP PINs, dates of birth, bank account and routing numbers — are additionally encrypted at the field level and accessed through a tokenized vault.
Customer-controlled deletion.
You own your data. On request, we delete Customer Data from primary stores and then from backups, and confirm in writing when complete.
What that looks like in practice.
A summary of our security controls. Detailed evidence and our security questionnaire are available under NDA.
Defenses inside the product itself.
The application layer is built to the controls firms expect of a vendor handling client tax data.
- Per-client magic-link onboarding for taxpayers
- Preparer sign-in via Google and Microsoft SSO
- Per-firm scoped access with role-based permissions
- Rate limiting on sensitive endpoints
- Third-party penetration testing on our roadmap
Built on hardened cloud foundations.
Grove runs on US-based, SOC 2 Type II cloud infrastructure for application hosting, database, and storage. Background document processing runs in a separate US region.
- US-only data residency
- Database accessed via service credentials, not public endpoints
- Encrypted, managed backups
- Edge DDoS protection in front of public traffic
- Application and access logging
Small team, tight access.
Grove is a small, security-conscious team. Access to production systems is scoped to the people who need it.
- Least-privilege access to production data
- MFA on the infrastructure consoles we operate
- Prompt offboarding when someone leaves
- Confidentiality & IP assignment on day one
Modern encryption, standard primitives.
Encryption is non-negotiable. We use standard, well-vetted algorithms across data in transit, at rest, and at the field level for the most sensitive values.
- TLS 1.3 in transit
- AES-256 at rest for databases, backups, and object storage
- Tokenized field-level encryption for SSNs, ITINs, EINs, IP PINs, dates of birth, and bank account/routing numbers
- Every decrypt of those fields is logged with the accessor identity
- No customer secrets or PII in application logs
Secure-by-default development.
Security is wired into how Grove ships software, not bolted on at release.
- Pull-request review on changes to production code
- TypeScript and ESLint enforced on every build
- Secrets managed by our infrastructure providers, never in code
- Responsible disclosure: security@grove.tax
Where AI meets your data.
Grove uses LLMs for narrow, well-scoped tasks. Customer Data is not used to train any model.
- Customer Data never used for training or fine-tuning
- Model providers accessed via their commercial APIs
- AI output presented for preparer review, not auto-filed
- Model providers listed under subprocessors below
How your firm’s data flows through Grove.
From the moment a client uploads a W-2 to the moment a return is delivered — every step is encrypted, scoped, and logged.
Collection
Documents and answers enter Grove through TLS 1.3 from the client portal or preparer interface.
Processing
Data is encrypted at rest and scoped to the firm it belongs to.
Retention & deletion
Records are retained for the period your firm requires, then deleted on request.
Built for the WISP requirement, not bolted on.
Every paid tax preparer is required by the IRS and FTC to maintain a Written Information Security Plan. Grove provides the technical foundation that satisfies the controls Pub. 4557 and the FTC Safeguards Rule actually ask for.
- Encryption in transit and at rest
- Access controls and MFA
- Vendor due diligence on subprocessors
- Logging and monitoring of access
- US-only data residency
- Written incident response process
The vendors we trust with your data.
We use a small, deliberate set of subprocessors to operate Grove. Each one is US-based, bound by a data processing agreement, and reviewed against our vendor security standard before we send them customer data.
The full named subprocessor list, with vendor certifications and data processing agreements, is available under NDA. Email security@grove.tax.
What happens if something goes wrong.
Grove maintains a written incident response process. If a security event affects your firm’s data, you will hear from us promptly — with what we know, what we’re doing, and what you should do.
What you can expect from us.
The clock starts when we confirm an event materially affects Customer Data — not when we finish investigating.
Have a security question we haven’t answered?
Email our security team directly. We respond within one business day, and we’re happy to walk through our controls, fill out vendor questionnaires, or jump on a call with your IT or compliance lead.