Tax data handled with the care it deserves.
Grove is built for the most sensitive data your firm touches — SSNs, K-1s, financial accounts, dependent records. Our security program is designed around the assumption that we hold information attackers will pay for, and the obligations the IRS, FTC, and state boards place on those who hold it.
Audited where it counts. Aligned with the rest.
Grove operates a SOC 2 Type II program audited annually against the AICPA Trust Services Criteria, and aligns with the federal and state requirements that specifically govern tax preparers handling taxpayer data.
Independent third-party audit covering Security, Availability, and Confidentiality criteria over a 12-month observation window. Available under NDA.
Grove provides the technical foundation firms need to satisfy the IRS’s Written Information Security Plan (WISP) requirement — encryption, access controls, monitoring, and audit logs out of the box.
We operate as a service provider under the Safeguards Rule, with designated personnel, risk assessments, and qualified individual oversight on our information security program.
Service-provider obligations under the California Consumer Privacy Act and California Privacy Rights Act, including subject-rights workflows and a published privacy program.
We are in the readiness phase for ISO 27001 certification, mapping our existing SOC 2 controls to the ISO 27001:2022 Annex A control set. Targeted certification: Q4 2026.
Grove tracks and complies with state-level privacy laws applicable to tax-preparer service providers across the United States, including breach-notification statutes in all 50 states.
How we think about your data.
Three commitments shape every product and infrastructure decision we make. They’re what makes the controls below mean something.
Your data is not training data.
Customer Data is never used to train Grove’s models or any third-party model. We have contractual zero-retention agreements with our LLM providers covering all customer-derived inputs and outputs.
Least access, by default.
Grove employees do not have standing access to customer tax data. Access is granted just-in-time, scoped to the smallest possible surface, and logged. Production access requires hardware MFA.
Encrypted everywhere it lives.
Customer Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups, object storage, and document attachments are all encrypted with keys managed in a hardware-backed KMS.
Customer-controlled deletion.
You own your data. On request, we delete Customer Data and purge it from primary stores within 30 days, and from backup tier within 90 days — with written confirmation when complete.
What that looks like in practice.
A summary of our security controls. Detailed evidence is provided in our SOC 2 Type II report, available under NDA.
Defenses inside the product itself.
The application layer is hardened with the same controls a bank would expect of one of its vendors.
- SSO via SAML 2.0 / OIDC; SCIM provisioning supported
- MFA enforced for all user accounts; WebAuthn supported
- Role-based access control with firm-level scoping
- Rate limiting, anti-CSRF, content security policy
- Annual third-party penetration test
Built on hardened, audited foundations.
Grove runs on AWS in US-only regions, inside private VPCs with restrictive egress and zero-trust service authentication.
- US-only data residency (us-east-1, us-west-2)
- Private VPC; no public database endpoints
- Multi-AZ deployments; daily encrypted backups
- WAF + DDoS protection at the edge
- Immutable audit logs retained for 7 years
Trained, screened, accountable.
Every Grove employee operates under documented policies, with access scoped to least privilege and reviewed quarterly.
- Background checks on all employees and contractors
- Annual security & privacy training, evidenced
- Quarterly access reviews; offboarding within 24 hr
- Hardware MFA required for production access
- Confidentiality & IP assignment on day one
Modern, audited, key-managed.
Encryption is non-negotiable. We use only audited algorithms and managed keys with documented rotation.
- TLS 1.3 in transit; HSTS enforced
- AES-256 at rest; envelope encryption per record class
- Hardware-backed KMS; documented rotation
- Field-level encryption for SSNs & bank info
- No customer keys, secrets, or PII in logs
Secure-by-default development.
Security is wired into how Grove ships software, not bolted on at release.
- Mandatory peer review on every change
- Static analysis & dependency scanning in CI
- Secrets management via vault; no env-var leaks
- Threat modeling on new product surfaces
- Public bug bounty program (in pilot)
Where AI meets your data.
Grove uses LLMs for narrow, audited tasks. Customer Data is contractually walled off from any model training.
- Zero-retention agreements with model providers
- Customer Data never used for training, fine-tuning
- Prompt & output logged for audit; encrypted
- AI Output flagged for human review by default
- Documented model usage register, updated quarterly
How your firm’s data flows through Grove.
From the moment a client uploads a W-2 to the moment a return is delivered — every step is encrypted, scoped, and logged.
Collection
Documents and answers enter Grove through TLS 1.3 from the client portal or preparer interface.
Processing
Data is encrypted at rest and only decrypted in-memory by services that need it, on a per-firm boundary.
Retention & deletion
Records are retained for the period your firm requires, then deleted on schedule or on demand.
Built for the WISP requirement, not bolted on.
Every paid tax preparer is required by the IRS and FTC to maintain a Written Information Security Plan. Grove provides the technical foundation that satisfies the controls Pub. 4557 and the FTC Safeguards Rule actually ask for.
- Designated qualified individual (CISO)
- Annual risk assessments & reviews
- Encryption, access controls, MFA
- Vendor due diligence on subprocessors
- Incident response plan, tested annually
- Employee training, evidenced
The vendors we trust with your data.
We use a small, deliberate set of subprocessors to operate Grove. Each one is bound by a data processing agreement and reviewed against our vendor security standard at onboarding and annually thereafter.
What happens if something goes wrong.
Grove maintains a written incident response plan, tested annually. If a security event affects your firm’s data, you will hear from us — on a clock.
SLA commitments.
The clock starts when we confirm an event materially affects Customer Data — not when we finish investigating.
Have a security question we haven’t answered?
Email our security team directly. We respond within one business day, and we’re happy to walk through our SOC 2 Type II report, fill out vendor questionnaires, or jump on a call with your IT or compliance lead.