Security & Data Protection Policy

1. Purpose

This Security & Data Protection Policy describes the general safeguards and practices TaxPilotra uses to protect business information, project data, technical materials, and client-provided information handled in connection with tax automation services.

TaxPilotra provides automated tax system services, including tax calculation module development, tax rule engine design, API integration, and process consulting. These services may involve sensitive business workflows, technical documentation, sample datasets, and system access information.

2. Security Principles

TaxPilotra follows practical security principles designed to reduce unnecessary risk. These principles include data minimization, limited access, need-to-know handling, responsible credential use, reasonable technical safeguards, secure project communication, and controlled retention of project materials.

3. Data Minimization

Clients are encouraged to provide only the information needed for the requested service. Where possible, clients should provide masked, synthetic, anonymized, or non-production data for testing, examples, and discovery review.

TaxPilotra may request that unnecessary sensitive information be removed before analysis or development begins.

4. Access Control

Access to client project materials should be limited to personnel or service providers who need the information to perform the service. Access may be restricted based on role, project responsibility, technical necessity, or business need.

Clients should provide temporary, limited, and revocable access whenever possible. Shared credentials should be avoided. API keys, passwords, and access tokens should be rotated when appropriate.

5. Credential Handling

Credentials should not be submitted through ordinary public website forms. When credentials are necessary for a project, the client should use a secure method approved for the project and should limit permissions to the minimum required.

TaxPilotra may recommend restricted access, temporary credentials, separate development environments, non-production access, or other safeguards depending on the project.

6. Project Data Handling

Project data may include technical documentation, API specifications, sample transactions, workflow descriptions, product categories, jurisdiction mappings, rule assumptions, and integration details. TaxPilotra uses this information for project delivery, technical review, support, documentation, and related business purposes.

TaxPilotra does not use client project data for unrelated commercial purposes. Confidential business information should be handled according to the applicable agreement and project requirements.

7. Storage and Transmission

TaxPilotra uses commercially reasonable practices for storing and transmitting project materials. However, no storage or transmission method is completely secure. Clients should avoid sending highly sensitive information unless necessary and should use secure communication methods when appropriate.

8. Third-Party Service Providers

TaxPilotra may use third-party service providers for hosting, storage, communications, project management, development operations, analytics, security, payment processing, or related business functions. These providers may process limited information as necessary to support services.

TaxPilotra is not responsible for the independent acts, outages, security incidents, pricing changes, or policy changes of third-party systems outside its control.

9. Incident Response

If TaxPilotra becomes aware of a confirmed security incident involving client project data, TaxPilotra will take reasonable steps to evaluate the issue, limit further exposure, preserve relevant information, and notify affected clients where required.

Notification may depend on the nature of the incident, the information involved, legal requirements, available evidence, and whether disclosure could increase security risk.

10. Client Security Responsibilities

Clients are responsible for their own systems, internal users, access permissions, system configuration, data quality, backups, hosting accounts, production deployments, and internal compliance controls. TaxPilotra may provide guidance, but the client controls its own operational environment.

11. Production Use and Monitoring

Before using any automation deliverable in production, clients should test system behavior, validate outputs, confirm rule logic, review access controls, monitor errors, and maintain rollback or backup procedures.

Automated tax systems should be monitored and maintained because tax rules, business models, APIs, data schemas, and platform behavior may change over time.

12. Retention and Disposal

TaxPilotra may retain project information for service delivery, support, legal compliance, accounting, business records, dispute resolution, or security purposes. Where information is no longer needed and retention is not required, it may be deleted, archived, anonymized, or otherwise disposed of according to reasonable business practices.

13. Limitations

This policy describes general practices and does not guarantee that unauthorized access, loss, misuse, or security incidents will never occur. Security depends on both TaxPilotra and the client, as well as third-party systems, hosting environments, communication methods, and user behavior.

14. Policy Updates

TaxPilotra may update this Security & Data Protection Policy to reflect changes in services, technology, legal requirements, vendor relationships, or internal security practices.