Built on certified infrastructure,
hardened by design.
Haque Systems runs exclusively on SOC 2 Type II certified platforms. Every credential is AES-256 encrypted, every tenant is isolated at the database layer, and every action on sensitive data is audit-logged.
Subprocessors
We do not host our own data centers. Every vendor below is independently SOC 2 audited, publishes its own trust report, and is listed so you can verify their controls directly.
| Provider | Role | Attestations |
|---|---|---|
| Supabase ↗ | Database + auth | SOC 2 Type II, HIPAA, ISO 27001 |
| Vercel ↗ | Application hosting | SOC 2 Type II, ISO 27001 |
| Stripe ↗ | Payments | SOC 1 & 2, PCI DSS Level 1 |
| Resend ↗ | Transactional email | SOC 2 Type II |
| Cloudflare ↗ | CDN + DNS | SOC 2 Type II, ISO 27001 |
| Anthropic ↗ | Claude API (AI) | SOC 2 Type II |
| Sentry ↗ | Error monitoring | SOC 2 Type II, ISO 27001 |
Our controls
What we implement at the application layer, on top of the infrastructure above.
Encryption
- ✓AES-256-GCM envelope encryption on every OAuth token and API key
- ✓TLS 1.3 in transit (HSTS enforced, no HTTP downgrade)
- ✓At-rest encryption on every database column (Supabase default)
Access control
- ✓Row-Level Security on all 55 database tables — cross-tenant leakage is prevented at the database layer
- ✓Role-based permissions: owner · admin · preparer · staff
- ✓Two-factor authentication (TOTP) for every account
- ✓Per-firm IP allowlist (optional, disabled by default)
- ✓SAML SSO available for enterprise firms
Auditability
- ✓Immutable audit log on every client, document, and tax-form access
- ✓IRS §7216 disclosure consent flow with token-based taxpayer sign-off
- ✓Tamper-evident event stream — cannot be edited, only appended
Resilience
- ✓24/7 error monitoring and alerting
- ✓Hourly production health checks with deep-probe live pings
- ✓Nightly data-integrity drill detects silent corruption
- ✓Circuit breakers on every third-party API
- ✓Automatic retry with exponential backoff on failed background jobs
Tax & accounting compliance
The frameworks that actually matter for CPA firms and tax preparers.
| Framework | Status |
|---|---|
IRS Pub. 5708 (WISP) Written Information Security Plan | Adopted |
IRS §7216 Disclosure of taxpayer information | Compliant |
IRS Pub. 4557 Safeguarding Taxpayer Data | Aligned |
GLBA Safeguards Rule FTC rule for financial institutions | Aligned |
PCI DSS SAQ-A Payment card compliance | Inherited via Stripe |
CCPA / CPRA California consumer privacy | Aligned |
SOC 2 — our position
We are not yet SOC 2 audited ourselves, but every piece of infrastructure we depend on is SOC 2 Type II certified. We implement the five Trust Service Criteria at the application layer:
| Security | RLS · 2FA · IP allowlist · circuit breakers · shared auth gate |
| Availability | 17-check smoke suite · deep-probe health · 25 background jobs with retry · Sentry |
| Confidentiality | AES-256-GCM for every credential · Supabase at-rest encryption |
| Processing Integrity | Nightly data-integrity drill · year-end form audit · idempotent writes |
| Privacy | §7216 consent flow · WISP adopted · audit log of every PII access · GDPR-ready deletion |
We will pursue our own SOC 2 Type II attestation once we cross the scale threshold where enterprise procurement teams begin to request it. Until then we are transparent about being aligned — not certified.
Report a security issue
If you believe you have found a security vulnerability, please email us. We will acknowledge your report within 1 business day and keep you updated through remediation.
Last reviewed: April 2026 · Questions? security@haquesystems.com