Security

Last updated: [DATE]

Draft for review. Only publish claims you can stand behind. Remove or revise any item below that does not yet match how the backend is actually built, then keep this page current as practices change.

Quarterlease handles taxpayer financial data, so protecting it is part of the product. This page describes the practices the Service is built around. [Confirm each item against your backend before publishing.]

Encryption

Data is encrypted in transit using TLS. Stored data is encrypted at rest by the hosting platform. [Confirm provider and method.]

Access control

Each firm's data is separated by account, so one firm cannot see another's data.
Within a firm, role-based access controls what each preparer can view and finalize.
Administrative access to production systems is limited to authorized personnel.

Authentication

Accounts are protected by passwords, stored using a one-way hash. [Add multi-factor authentication here once available.]

Infrastructure

The Service runs on established cloud infrastructure with managed backups. [Name your hosting and database providers, and state backup frequency.]

Payments

Card payments are processed by a third-party payment provider. Quarterlease does not store full card numbers. [Confirm provider, e.g. Stripe.]

Data retention and deletion

Firms control their client records. Data is retained while an account is active and for a limited period afterward, then deleted or anonymized. See the privacy policy for details.

Reporting a vulnerability

If you believe you have found a security issue, email security@quarterlease.com with details so we can investigate. Please do not publicly disclose an issue before we have had a chance to address it.

Contact

support@quarterlease.com, Quarterlease LLC.