Security & data handling
What we do — and don't — store about your tax data.
FundedTax is built around the smallest possible amount of personally identifying tax information that gets the job done. Here's exactly what that means.
We don't want your SSN. Don't enter it into this software.
Your SSN belongs on the actual Schedule C you (or your CPA) file with the IRS — not in our database, not in our logs, not in our backups. FundedTax is designed not to request and does not intentionally collect SSNs, ITINs, EINs, or similar taxpayer identifiers; no field asks for one. If such a value is submitted inadvertently (for example pasted into a note or carried in a stray CSV column), automated validation and redaction controls replace taxpayer-identifier patterns with a redaction token before the value is stored, and we may delete it. If a UI field ever appears to ask for an identifier, that's a bug; tell us at security@fundedtax.com.
What we do not collect
The tax-PII we deliberately stay away from.
- Social Security number (SSN), ITIN, or EIN — no field requests one, and inadvertently submitted patterns are redacted
- Bank account number or routing number
- Credit card or debit card information
- Government-issued ID, passport, or driver's license
- Your filed tax return or 1099-NEC PDF (we work from amounts you enter, not uploaded IRS forms)
- Brokerage account credentials, OAuth tokens to brokerages, or read-only API keys
What we do store
The minimum FundedTax needs to do its job.
- Account email (for sign-in via magic link)
- Preferences: tax year, filing status, optional state
- Imported transaction rows (date, type, amount, source row id) — derived from your CSV uploads
- User-entered expenses (date, category, vendor, amount, deductible flag)
- 1099-NEC reported totals (per firm, per tax year) — the dollar number, never the PDF
- Quarterly estimated payments (date, amount, optional note)
- Application audit log: which exports you generated, when
CSV handling
Your CSV is parsed in memory. We are built not to persist the raw upload.
When you upload a payout CSV from Apex / TopStep / FTMO / Tradeify / MyFundedFutures, the file goes through the route handler, gets parsed into structured rows in memory, and the resulting transactionsrows are written to the database. By design the CSV bytes themselves are not written to the database, and there is no “original upload” reference column. Any free-text the parser does store (a vendor or note) passes through the taxpayer-identifier redaction control first, so an inadvertently included SSN/ITIN/EIN pattern is replaced before persistence.
In development, sample CSVs are gitignored (*.csv, test-data/, sample-1099/, sample-statements/) so no real-trader data lands in the repo by accident. Tests run on synthetic data only.
Sub-processors
Who else touches data on our behalf.
The table below is a summary. The Subprocessors page is the canonical, authoritative list (with regions, data categories, privacy links, and the 30-day change-notice process); the Terms, privacy policy, and DPA all reference it so the set cannot drift between pages.
| Vendor | Role | Data |
|---|---|---|
Vercel US (vercel.com) | Application hosting + edge runtime | Application requests, in-transit only |
Neon US (neon.tech) | Postgres database | Tax records, encrypted at rest |
Merchant of Record Merchant of Record handles VAT/sales-tax | Subscription billing (provider being finalized) | Billing email + plan; payment details NEVER touch FundedTax servers |
Sentry US (sentry.io) | Application error tracking | Error events + request context; PII transmission disabled (sendDefaultPii off); tax amounts and identifiers excluded from error contexts |
Incident response
If something goes wrong, we notify you without undue delay.
If we become aware of a security incident involving personal data, we investigate promptly and provide notices to affected users, regulators, and other parties as required by applicable law. Where a breach is likely to result in high risk to you, we will notify you without undue delay, describing the affected data, what we know, what we don't know yet, and the remediation steps under way. Where required, we notify the relevant supervisory authority within 72 hours of becoming aware, in line with GDPR Articles 33 and 34. We communicate facts, not tax advice.
Vulnerability disclosure
Found a security issue? Tell us.
Email security@fundedtax.com with the issue, reproduction steps, and any proof-of-concept. We acknowledge within 2 business days. We do not yet have a paid bug bounty — we appreciate the help regardless and credit researchers in the public changelog when they consent to being named.
This page describes our current security architecture, as of 2026-05-31, for transparency. It is not the binding agreement: the binding terms are the Terms of Service and the Data Processing Addendum. For data handling, see the privacy policy.