In May of 2021 SurePrep received a SOC 2 Type 2, an independent service auditor’s report on controls relevant to security, availability, confidentiality and processing integrity set forth in TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

Logo SOC for Service Organization

SurePrep has developed information security policies and procedures that adhere to the high standards of regulatory requirements such as Gramm-Leach-Bliley, Payment Card Industry and Massachusetts 201 CMR 17.00.

SurePrep’s production servers are managed by SurePrep staff and utilize the IBM, Azure and AWS Public clouds with near limitless scaling capabilities. Cloudflare’s best in class CDN, WAF and DDoS protection is implemented for perimeter defense and global load balancing to enhance performance and our overall security stature. SurePrep utilizes Crowdstrike EDR to ensure the security of our endpoints from malicious software attacks. Darktrace AI driven network monitoring further protects systems and data by watching for anomalous network activity. These systems, as well as our servers and security infrastructure are monitored on a 24/7 basis.

Third Party Vulnerability and Penetration testing is performed mulitple times per year by Symosis Security, formerly C-Level Security, LLC. Internal vulnerability testing is performed regularly by the SurePrep InfoSec team.

Security lock

SurePrep’s products are web-based applications built on the Microsoft .NET Framework. Access is restricted to registered users who log in by way of a username/password combination verified on the server side. User passwords are encrypted and a log is maintained of all users that access the system. User authentication can be further limited to client-specified IP ranges. Communications use industry-standard 4096-bit Secure Socket Layer encryption for all data transfers, the same encryption technology used by banks for securing online banking transactions. SurePrep leverages Microsoft’s Azure infrastructure and Amazon Web Services to ensure data security and reliable storage.

Security Cloud


SurePrep’s production servers are managed by SurePrep staff and hosted in IBM data centers in Dallas, San Jose and Washington D.C. SurePrep’s implementation of Azure and AWS includes regional services to increase uptime and continuity options. All data centers and cloud services are SOC 2 Type 2 and SSAE 18 certified. SurePrep’s software has been audited, tested and validated by Symosis Security, LLC, formerly C-Level Security, LLC. The application was found to enforce security controls which support a secure processing solution. Symosis Security is an independent security-focused consulting firm employing leaders in the industry. Symosis Security certifications are developed to meet regulatory and best practice guidelines. The Symosis Security, LLC/C-Level Certified Seal carried on this site displays that the Organization has adopted proactive security steps for safeguarding data during submission, transmission and storage.

Click here to view SurePrep’s Symosis letter of attestation for the FileRoom.

Click here to view SurePrep’s Symosis letter of attestation for TaxCaddy.

security Certificate