Security

What happens on your device

When you create an account, your browser derives encryption keys from your master password using Argon2id, a deliberately slow key-derivation function designed to resist guessing. Your password never leaves your device, and neither do the keys that decrypt your data.

The tax engine also runs entirely on your device. Computations work offline, and the figures you enter are encrypted locally before anything is stored or synced. Signing in proves you know your password without transmitting it: the server compares a derived verifier, not the password itself.

What our servers hold

For your account to work, our servers store:

• your name and email address, so you can sign in and we can reach you;
• an authentication verifier: a hash that lets us check you know your password without us ever seeing the password;
• wrapped keys: encrypted copies of your data key that only your password or your recovery key can open. We store the locked box, not the key to it;
• if you use sync, your records as opaque encrypted blobs. We can see that a blob exists, how big it is, and when it last changed. We cannot see a client name, an income figure, or any other content inside it;
• your subscription status, so the right features are switched on;
• if you enable device unlock or join a firm workspace, housekeeping details: a short device label, the firm’s name and member list, and sealed key material that only members can open.

A breach of our database would expose account basics such as names and email addresses, but your tax data would stay ciphertext and hashes, never readable computations. That is not a reason to be careless; it is the design assumption the whole product is built on, and if a breach ever happened we would notify you, as the Privacy Policy sets out.

Your recovery key

When you sign up, you receive a 24-word recovery key. If you forget your master password, the recovery key is the only way to reset it (a device where you enabled device unlock can still open your data locally). We cannot reset your password for you, because we never have the keys that would make that possible.

This is a real trade-off, stated plainly: if you lose both your password and your recovery key, your encrypted data is gone. Keep the recovery key somewhere safe and offline, the way you would keep the deed to a house.

Sync and firm vaults

Sync is optional and is the paid part of the product. With sync on, your encrypted records are backed up and available on your other devices; the encryption and decryption still happen on the devices, never on the server. Firm workspaces extend the same model to a practice: shared vault keys are encrypted to each member’s own keys, so the server holds only sealed material it cannot open.

Why we don’t use bigger labels

Security marketing is full of phrases that promise more than they say. We prefer to describe the mechanism and let it speak for itself: keys are derived on your device, computations run on your device, and our servers store ciphertext, wrapped keys and account basics. The one claim we make is the one we can stand behind in full: your data is encrypted; we can’t read it from our servers.

Reporting a vulnerability

If you believe you have found a security issue, please email hello@taxrationale.com with the details. We read every report and will respond as quickly as we can.