How Pitbulltax Protects You

At PitBullTax, the protection of your and your client’s confidential data is our first priority. We value and respect you as a tax professional, and want you to feel confident and comfortable when using our product and entrusting your clients’ personal and business financial data to us.

Safeguarding your Data

• Our staff continuously monitors our security program, reacting immediately to implement necessary changes.
• We constantly assess our system security settings to pro-actively address potential risks.
• Our network transmissions are secure, and all financial information is encrypted.
• Our disaster-recovery plan ensures rapid and secure data retrieval.
• Our servers are fully protected with the latest anti-virus security software available.
• We regularly inspect our system for network susceptibilities, and resolve any possible exposures.
• Our back-ups are stored off-site in secure multiple locations.
• We have an internal auditing system in place to respond to incidents, and test it regularly to ensure it is always “geared up” in the ready mode.

Making certain our staff members protect your data

• All new hires undergo a background check. All workers access credentials are disabled and deleted when they leave our organization.
• All access to critical information is allowed by proper authorization, and only to complete necessary tasks.
• All workers receive extensive privacy and security training when they are hired.
  Workers receive additional training for security and privacy at regular intervals.

We take security measures to protect your personal data and information. These measures include technical and preventive steps to protect your data from misuse, unauthorized access, loss, alteration, or destruction.

We work to continually monitor for security vulnerabilities that might affect you and also to inform you about any issues immediately.

Trust Seal provides our customers with security of malware protection and Improved Web site conversions and traffic.

Extended Validation SSL Certificates

Our SSLs use SHA-2 and 2048-bit encryption to stop hackers in their tracks. That’s the strongest encryption on the market today. It’s virtually uncrackable.

Extended Validation SSL Certificates provide the highest level of online assurance for your customers thanks to a process that's standardized across all Certification Authorities. Using the most extensive SSL vetting process available, Extended SSL Certificates are available only to corporations which are legally registered in the U.S., Canada, UK, New Zealand and Australia and verified with a registered status of "Good Standing," "Active" or equivalent. The process verifies the organization's identity and the validity of the request to determine the overall legitimacy of the business.

What are SSL Certificates?

An SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL (Secure Sockets Layer) technology. Encrypting information means scrambling data into an undecipherable format that can only be read and understood with the proper decryption key.

A certificate works as an electronic "passport", establishing an online entity's credentials when performing any transactions on the web. In order to establish a secure connection, this server’s digital certificate is accessed by the user’s browser whenever there’s an attempt to send confidential information to a web server.

Information contained in an SSL certificate:

• The certificate holder's name
• The certificate's serial number and expiration date
• A copy of the certificate holder's public key
• The digital signature of the certificate-issuing authority

How it works

An SSL creates a secure means for confidential information (like usernames, passwords, credit card numbers and more) to pass through safely.

1. First, the SSL "handshake”

   When visitors enter an SSL-protected area of a website, an encrypted connection is automatically created with visitors’ browser.

2. The padlock icon appears

   Once the connection is complete, visitors will see a padlock icon and HTTPS prefix appear in their browser bar to show them it’s safe to share personal details. And our visitor’s status bar will turn green, which means we count with a high-assurance EV Certificate.

3. You're good to go

   Through a 2048-bit encryption, virtually unbreakable by hackers, all the information passing to and from the website has been scrambled for your security.

We care about security as much as you do. And we do it well.

PitBullTax's production software is securely hosted on our servers, and protected with physical security 365 days a year with a full-time security staff, video surveillance and alarms to prevent any high-tech hacks. Our professional staff and automated tools monitor service performance for problems on an ongoing basis. In case of a power cut or complex smoke our secure power supply and backup generators would immediately kick in for protection.

We certify your data is protected and stays private.

Keeping all of your confidential data private and protected is our concern; that´s why we stand on advanced, industry-recognized security protection to guarantee privacy and protection. PitBullTax Software uses a GoDaddy SSL product. GoDaddy is one of the leading secure sockets layer (SSL) Certificate Authority. We have the security elements required to protect your personal data through the use of password-protected logins, firewall protected servers and the same encryption technology (128 bit SSL) used by financial corporations all over the world.

You'll always backup your data.

We will automatically back it up for you. In this way, you get the handiness of automatic offsite storage without having to worry about the extra effort and cost of developing physical backup copies on your own. In case anything happens to your system, you could still access all of your data from any computer connected to the internet.

We value privacy as much as you do.

We care about privacy in everything we do. It's our way to show our customers we respect and value them on a daily basis. We continuously follow a strict set of guidelines and practices to protect all their private information. And, we do not sell or share their information with third parties for their promotional use. For full disclosure of our privacy practices, please read our Privacy Statement.

Server redundancy or mirroring

PitBullTax Software has been available more than 99.7% of the time for the past five years, thanks to our dependable mirror server that is constantly updated to keep an exact replica of the data as a backup. These servers are synchronized over a secured Internet connection. So, your service will not be affected even if one of our primary servers becomes impacted or unavailable for maintenance purposes, which means that, no matter when or where, you can always access your data online.

You are in control.

You can control who accesses your data, and what can actually be seen and done with it too. Each person you invite to use PitBullTax Software must create a unique password which no one can see, not even the CEO of PitBullTax. We also offer multiple permission levels to limit the access privileges of each user. Besides that, you can also download a local copy of your data to your hard drive for more comfort and control on your side.

Everyone is held accountable.

PitBullTax Software offers a unique Activity Log and History Trail. The Activity Log records all activities, and the History Trail lists all changes made. These useful tools record every login to the service and any changes made to every form field, and cannot be turned off by users. So, basically, you will always know what happens to your records, capturing the IP Address with GPS location, user name, client name, action date/time, previous value & new value, status and document/form name. In addition PitBullTax adds a record to the History Trail each time the user logs in and logs out, and includes the IP address and the time of this action. In this case, licensees can monitor who accessed their accounts.

Technical and preventive steps

1. Cross-site Scripting Prevention

   Cross-site scripting (also known as XSS) happens when a web application collects malicious data from a user. Attackers insert JavaScript, VBScript, ActiveX, HTML, or Flash into vulnerable applications to trick other application users and gather their data. For instance, a forum system that has not been well designed may display user input in forum posts without any checking. In this case, attackers can then insert a piece of malicious JavaScript code into a post; so that, when other users read it, the JavaScript can unexpectedly run on their computers.

   PitBullTax Software incorporates the work of HTMLPurifier, a component capable of removing all malicious code with a thoroughly audited, secure yet permissive whitelist; and which also makes sure the filtered content is standard-compliant.

2. Cross-site Request Forgery Prevention

   Cross-Site Request Forgery (CSRF) attacks happen when a malicious web site triggers a user's web browser to execute an unwanted action on a trusted site. For instance, when a malicious web site has a page that contains an image tag whose src points to a banking site:. If a user who has a login cookie for the banking site visits this malicious page, the action of transferring whatever amount of dollars to someone will be executed.

   It is very important to abide to the rule that GET requests should only be allowed to retrieve data rather than modify any data on the server to prevent these CSRF attacks. And in the case of POST requests, these should include some random value which can be recognized by the server to ensure the form is submitted from and the result is sent back to the same origin.

   PitBullTax Software implements a CSRF prevention scheme to help prevent POST-based attacks. It is based on storing a random value in a cookie and comparing this value with the value submitted via the POST request.

3. Cookie Attack Prevention

   As session IDs are commonly stored in cookies, protecting them from being attacked is of great importance. If someone gets hold of a session ID, this person essentially owns all relevant session information.

   PitBullTax Software executes a cookie validation scheme that protects cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enabled.

4. Transcripts Security

   For licensees’ safety and privacy, PitBullTax has developed an API connection to link with the IRS and allow you to pull transcripts. The licensees must have an E-services account and have access to the Transcript Delivery System of the IRS to be able to pull transcripts.

5. Code Encryption Prevention

   We utilize IonCube to provide additional protection against reverse engineering and technology license. IonCube gives IT providers a double layer of protection for applications.

   • How does IonCube work?

     The ionCube Encoder compiles source code to bytecode, can obfuscate and encrypt compiled code if desired, and has features to protect decryption keys in various ways, including a unique approach of algorithmic non-stored keys we call Dynamic Keys.

     The IonCube license used by PitBullTax developers and PitBullTax software provide the ability to create license files for your products. License files can protect against unauthorised use by locking code to specific machines and can also time expire, which is ideal for releasing trial versions. The native licensing features offer benefits over PHP based licensing, and has features to support adding one's own licensing ideas on top.

   • Can IonCube Intermediate Code files be de-coded back into the PHP source file?

     Like encryption, obfuscation can only be decoded using brute-force techniques, which require vast amounts of time and resources to decipher obfuscated code; and the longer the obfuscated string is the less realistic it is to decode it as the number of possible combinations increases exponentially.

6. Firewalls Features

   Firewalls are simple mechanisms to control access into and out of the company. In PitBullTax, one of the primary jobs of a firewall is to protect the company’s network from internet threats and to enforce company security policies. The security policy will dictate what applications, services, ports and IP addresses are allowed and disallowed via the firewall.

   When you take into consideration that this product will be the main entrance point to and from your company you have to ensure you have chosen a solid firewall with a proven reputation. So PitBullTax has chosen to go with CHECK POINT. For the eighteenth consecutive year, Check Point has been positioned in the "Leaders" quadrant in the Magic Quadrant for Enterprise Network Firewalls.

7. Two Factor Authentication (2FA)

   2-Factor Authentication (2FA) is an optional extra layer of security used to make sure that PitBullTax Users trying to gain access to a PitBullTax online account are who they say they are. First, PitBullTax user will enter their username and a password. After receiving a username and password, the site sends user a unique one-time passcode via SMS text message. Then, instead of immediately gaining access, user will be required to enter one-time passcode sent to user's phone via SMS text message.

   With 2-Factor Authentication, a potential compromise of just one of these factors (username/password or access to mobile phone) won't unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information are highly unlikely. In an effort to provide more secure and protected software application to all licensees, PitBullTax Software has 2-Factor Authentication available to all users at no additional cost.

Compliance Matters

For most companies, adherence to any number of regulations and industry standards is a requirement for doing business in a global market. It also can be time consuming, and doesn’t come cheap. That’s why it’s good to have our AWS and Peak 10 Data Centers in your corner. They have dedicated compliance officer on staff. Plus, you can leverage our audit-ready server’s, facilities and cloud infrastructure to ensure the security and availability of our applications and data — and help meet your company’s compliance requirements.

When it comes to security and technical controls, the proof is in the certification. Our AWS and Peak 10 Data Centers offer robust security and regulatory compliance. Click on the following buttons to check the certifications our Data Centers have successfully completed:

AWS Certifications and attestations

SOC 1

Provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting besides information to customers and their auditors for their assessment and opinion of the effectiveness of internal controls over financial reporting (ICOFR).

SOC 2

Provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, and confidentiality.

SOC 3

Provides customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, and confidentiality without disclosing AWS internal information.

PCI DSS Level 1

PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

DoD SRG

The Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) provides a standardized assessment and authorization process for cloud service providers (CSPs) to gain a DoD provisional authorization, so that they can serve DoD customers. The AWS provisional authorization from the Defense Information Systems Agency (DISA) provides a reusable certification that attests to AWS compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation in AWS.

FedRAMP

The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data.

FIPS

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. AWS works with customers to provide the information they need to manage compliance when using the AWS US East/West, AWS GovCloud (US), or AWS Canada (Central) Regions.

IRAP

The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).
Protecting Australian Government data from access, unauthorized and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable them to create secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services, through the establishment of a robust control environment, and by making available for use a wide range of security services and features.

ISO 27001

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how AWS perpetually manages security in a holistic, comprehensive manner.

ISO 9001

ISO 9001:2015 outlines a process-oriented approach to documenting and reviewing the structure, responsibilities, and procedures required to achieve effective quality management within an organization. Specific sections of the standard contain information on topics such as:

• Requirements for a quality management system, including documentation of a quality manual, document control, and determining process interactions
• Responsibilities of management
• Management of resources, including human resources and an organization’s work environment
• Service development, including the steps from design to delivery
• Customer satisfaction
• Measurement, analysis, and improvement of the QMS through activities like internal audits and corrective and preventive actions

ISO 27017

ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.

ISO 27018

Alignment demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content. AWS' alignment with an independent third-party assessment of this internationally recognized code of practice demonstrates AWS' commitment to the privacy and protection of customers' content.

MLPS Level 3

MLPS is the country's most authoritative security certification for information products and systems, based on the Regulations of the Protection of the Computer Information System Security of the People's Republic of China, Administrative Measures for the Security Protection of the International Access of Computer Information Networks, and Administrative Measures for the Information Security Protection Classification.
The MLPS Level III certification reflects Sinnet’s high capability in operating and managing cloud service and information security. It also confirms that Amazon Web Services China (Beijing) Region, operated by Sinnet, is aligned with China’s national information security guidelines.

MTCS

Amazon Web Services (AWS) was the first global cloud service provider to achieve the Singapore Multi-Tier Cloud Security Standard (MTCS SS 584) Level-3 (CSP) certification for Singapore.
This certification gives organizations the clarity to utilize AWS to host and process their highly confidential data in Singapore, South Korea, and in the United States.

SEC Rule 17a-4(f)

The US Securities and Exchange Commission (SEC) is an independent agency of the US federal government and the primary overseer and regulator of US securities markets. It wields enforcement authority over federal securities laws, proposes new securities rules, and oversees market regulation of the securities industry.
The SEC defines rigorous and explicit requirements for regulated entities that elect to retain books and records on electronic storage media. It established 17 CFR 240.17a-3 and 17 CFR 240.17a-4 to regulate recordkeeping, including retention periods, for securities broker-dealers.

AWS Laws and Regulations

EU Model Clauses

European Union (EU) data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. On a practical level, compliance with EU data protection laws also means that customers need fewer approvals from individual authorities to transfer personal data outside of the EU, since most EU member states don`t require additional authorization if the transfer is based on an agreement that complies with the Model Clauses.

FERPA

The Family Educational Rights and Privacy Act (FERPA) of 1974 was enacted to support and promote the protection of privacy and reasonable governance of student education records. FERPA provides parents of students and eligible students:

• The right to inspect and review their education records.
• Governance over disclosure of their education records.
• A mechanism to amend incorrect education records.

HIPAA

AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information.

IRS-1075

Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance for US government agencies and their agents to protect Federal Tax Information (FTI).
While the IRS does not publish an official designation or certification for compliance with Pub 1075, AWS supports organizations to protect FTI managed in AWS by aligning our implementations of NIST 800-53 and FedRAMP security controls with the respective IRS Pub 1075 security requirements. AWS has worked closely with the IRS to ensure that the AWS GovCloud (US) and AWS US East-West regions meet Pub 1075 requirements for storing and processing FTI.

ITAR

AWS GovCloud (US) supports compliance with United States International Traffic in Arms Regulations (ITAR). As a part of managing a comprehensive ITAR compliance program, companies that are subject to ITAR export regulations must control unintended exports by enabling access to only authorized persons. AWS GovCloud (US) provides an environment that is physically located in the US, and access by AWS personnel is limited to US Citizens, thereby allowing qualified companies to use AWS to transmit, process, and store protected articles and data subject to ITAR restrictions.

My Number Act [Japan]

The Japanese government enacted the My Number Act (Japanese and English), which took effect in January 2016. It assigned a unique 12-digit number, called My Number, or the Social Benefits and Tax Number or Individual Number, to every resident of Japan, whether Japanese or foreign. Giving each person one number for all purposes (like the US Social Security number) was designed to simplify and make more efficient taxation and the implementation of social benefits such as the national pension, medical insurance, and unemployment.

VPAT

A Voluntary Product Accessibility Template (VPAT®) is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility.
Section 508 is a federal and state requirement so any and all of AWS government customers will have Section 508 compliance needs. Section 508 requires that when Federal agencies develop, procure, maintain, or use electronic and information technology, they must ensure that it is accessible to people with disabilities, unless it would pose an undue burden to do so.

EU Data Protection Directive

Adopted in 1995 by the European Union, the Data Protection Directive is officially known as Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Data Protection Directive is binding within the member states of the EU and regulates how personal data is collected and processed in the European Union.

AWS Alignments and frameworks

CJIS

The CJIS Security Policy outlines the “appropriate controls to protect the full lifecycle of CJI (Criminal Justice Information), whether at rest or in transit,” irrespective of the underlying information technology model. By using solutions built on AWS, agencies can manage and secure their applications and data in the AWS cloud.
AWS provides building blocks that public safety agencies and their application partners can utilize to build highly available, resilient, and secure applications in alignment with the CJIS Security Policy. AWS customers maintain complete ownership and control over their data, which is enabled through access to simple, powerful, cloud native tools that allow them to manage the full life cycle of sensitive customer data. Customers exercise exclusive control over where data is stored and the methods used to secure data in transit and at rest, and manage access to their information systems built on AWS

FedRAMP TIC

This way of architecting cloud solutions that address TIC capabilities (in a FedRAMP moderate baseline) comes as the result of the relationships with the FedRAMP Program Management Office (PMO), Department of Homeland Security (DHS) TIC PMO, GSA 18F, and FedRAMP third-party assessment organization (3PAO), Veris Group. Ultimately, this approach will provide US Government agencies and contractors with information assisting in the development of “TIC Ready” architectures on AWS.
Our government customers interested in following GSA 18F’s lead now have the capability to deploy and test their own TIC capabilities on AWS. Customers can use the evidence resulting from our TIC Mobile assessment to implement the TIC capabilities as part of their virtual perimeter protection solution using functionality provided by AWS and our ecosystem partners. With a clear definition of the customer responsibility for implementation of the additional TIC capabilities, our government customers can architect for TIC readiness on AWS.

FISC

The Center for Financial Industry Information Systems (FISC) is a non-profit organization established in 1984 under the approval of the Minister of Finance, Japan. In April 2011, FISC was approved by the Prime Minister to change its classification to become a public interest incorporated foundation.
In December 1985, in collaboration with its member institutions, the Financial Services Agency (FSA) and the Bank of Japan, FISC has established "FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions" in order to promote security measures for financial institutions

FISMA

AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP). AWS’s secure infrastructure has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud while complying with the rigorous security requirements of federal standards.

GxP (FDA 21 CFR Part 11)

GxP is an acronym that refers to the regulations and guidelines applicable to life sciences organizations that make food and medical products such as drugs, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions.
AWS regularly works with GxP customers and their auditors in planning for, developing, validating, operating, and auditing GxP systems that use AWS services as a component. Because of confidentiality agreements, we do not disclose specific company details and use cases of GxP systems in AWS.

MPAA

The Motion Picture Association (MPA) has established a set of best practices for securely storing, processing and delivering protected media and content. Media companies use these best practices as a way to assess risk and security of their content and infrastructure. The MPA and Content Delivery & Security Association (CDSA) have jointly created a new partnership called the Trusted Partner Network (TPN) . The TPN program seeks to raise security awareness, preparedness and capabilities within the media and entertainment industry. AWS continues to monitor and contribute to TPN’s content security benchmarks.

NERC

As power and utility customers are experiencing digital transformation, they are looking to the cloud for ways to enhance support of their business and customers.
Customers want to know more about security and resiliency using cloud and they are sensitive to their compliance obligations including those around North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).
The NERC CIP compliance obligations apply to US and Canadian entities, yet the security objectives embodied in the standards apply globally.

NIST

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): Aligning to the NIST CSF in the AWS Cloud, is designed to help commercial and public sector entities of any size and in any part of the world align with the CSF by leveraging AWS services and resources.
It helps to establish a foundational set of security activities organized around five functions—Identify, Protect, Detect, Respond, Recover—to help to improve the security, risk management, and resilience of your organization.

UK Cyber Essentials

Cyber Essentials is a Government-backed and industry-supported scheme that helps businesses protect themselves against the growing threat of cyber attacks and provides a clear statement of the basic controls organizations should have in place to protect themselves.
It is the UK Government’s answer to a safer internet space for organizations of all sizes, across all sectors. Developed and operated by the National Cyber Security Centre (NCSC), Cyber Essentials is considered the best first step to a more secure network, protecting you from 80% of the most basic cyber security breaches.
Gaining Cyber Essentials certification also enables organizations to showcase their credentials as trustworthy and secure when it comes to cyber security.

SSAE 16/ISAE SOC 1 Type 2

This dual-standard report is intended to help Peak 10 customers and their auditors in evaluating the effect of the controls at Peak 10 on their financial statement assertions. The SOC 1 report attests that Peak 10’s control objectives are appropriately designed and operating effectively.

SOC 2 Type 2

The SOC 2 report is an attestation report that provides an evaluation of controls specific to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, and availability.

SOC 3 Type 2

The SOC 3 report is a Trust Services Report, and is designed to meet the needs of Peak 10 customers that want assurance about Peak 10’s controls related to security and availability but do not need the level of detail provided in a SOC 2 Report

Level 1 Service Provider under PCI DSS

Peak 10 is certified under PCI DSS as a Level 1 service provider. This means that Peak 10 data centers, cloud infrastructure operations are PCI DSS compliant.

U.S. Department of Commerce Safe Harbor Program

Peak 10 is certified under the U.S. Department of Commerce Safe Harbor Program, known as the U.S.-EU Safe Harbor Framework “Safe Harbor”).

HIPAA / HITECH Security Rule Compliance Report (AT 101)

Peak 10 data centers and cloud infrastructure meet the stringent requirements for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. We have implemented the physical, technical, and administrative safeguards to ensure that confidential electronic protected health information (ePHI) is secure.

In addition, Peak 10 holds the following:

• Cisco Cloud Provider Certification with a Cisco Powered Cloud Infrastructure-as-a-Service (IaaS) designation
• Cisco Powered Disaster Recovery as a Service (DRaaS) designation under the Cisco® Cloud and Managed Services Advanced Certification

Our Data-Center is Audit Ready:

• Statement on Standards for Attestation Engagements (SSAE 16)
• Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
• Payment Card Industry Data Security Standard (PCI DSS)
• Sarbanes-Oxley (SOX)
• Food and Drug Administration (FDA)
• U.S.-EU Safe Harbor (European Commission’s Directive on Data Protection)
• ISO/IEC 27001:2013
• Gramm-Leach-Bliley (GLBA)
• International Traffic in Arms Regulations (ITAR)
• Federal Information Security Management Act (FISMA)

We Make Compliance Easy

Certification reports and other documentation is available to PitBullTax customers. If you would like to review our Audit certificates, please send a formal request to info@pitbulltax.com including your full contact details and reason for request. Contact us to learn more.

Questions & Answers

For your convenience, we are providing answers to the most frequently asked questions regarding our security.

1. What standards or compliance certifications do PitBullTax hold?

   PitBullTax is compliant with the following certifications:

   1. SSAE-16/ISAE SOC 1 Type 2
   2. ISO 27001
   3. SOC 2 type 2
   4. SOC 3 Type 2
   5. PCI DSS
   6. U.S Department of Commerce Safe Harbor Program
   7. HIPAA/HITECH Security Rule Compliance report (AT 101)

2. Does PitBullTax use a third-party hosting facility for our data? If so, do they have any certifications such as (SSAE-16, SOC, ISO)?

   Yes, the hosting facility we use is compliant with all of the above outlined certifications.

3. Are PitBullTax employees trained on the policies and procedures on how to handle security incidents?

   PitBullTax employees undergo security training upon hiring and throughout their tenure at PitBullTax.

4. Do PitBullTax have a disaster recovery plan and if so, what is the frequency of testing?

   Yes, conducted monthly.

5. What are the back-up procedures for the data we collect and when are restores tested?

   We schedule a full database backup every day. We test the backup data monthly.

6. Does PitBullTax conduct external third-party security assessments and audits and how often?

   Review of certifications are conducted quarterly.

7. What measures are in place to ensure that your data is secure?

   1. SSL data transport
   2. Encryption of all personal data in the data base
   3. Two Factor Authentication

8. What happens to our data if we did not renew our license?

   It is stored for seven (7) years in for reinstatement purposes.

9. Will PitBullTax sign a non-disclosure agreement?

   Yes, upon request.

10. Does PitBullTax have a documented incident response process?

    Yes, last updated on 2019 and reviewed annually.

11. Is always our data encrypted?

    Yes.

12. Will our backed-up data be stored securely offsite?

    Yes.

13. Where is our data stored?

    In an encrypted data base.

14. Has PitBullTax ever had a security breach?

    No.

15. How will we be notified in case of a security breach?

    We will email to all our users stating the breach, scope, consequences, and the necessary steps our licensees need to take?

16. What is your track record for availability/downtime?

    Over the last 5 years PitBullTax has been “up” 99.7% of the time.

17. How will we access our data?

    Via web-interface of web-application.