Security

Authentication & access

The MCP endpoint is protected by OAuth 2.0 — your AI client connects with a scoped access token, and we validate the request origin to guard against DNS-rebinding. Dashboard accounts use email and password with required email verification, and logins are rate-limited. Passwords are hashed, and API keys are stored only as a hash — we never keep the plaintext key after it's shown to you once.

Your data

We store your account details and a usage log of your API and tool calls — timestamps, the endpoint called, and response time — to handle billing, rate limits, and analytics. We don't store the content of your queries, your conversation history, or anything your AI client generates on your behalf. Traffic is encrypted in transit over TLS, and data is encrypted at rest.

You can request deletion of your account data at any time — see our Privacy Policy for details.

Services we rely on

We use Stripe for payments — card details go straight to Stripe, so we never see or store them. A small number of standard service providers handle email delivery and the infrastructure behind search, and the tax law itself comes from public government sources.

Reporting a vulnerability

Found a security issue? Email security@taxmcp.io with steps to reproduce. We'll acknowledge it quickly and keep you posted as we fix it. A machine-readable contact lives at /.well-known/security.txt.

Please give us a reasonable window before disclosing publicly, and don't access data that isn't yours. We won't pursue legal action against good-faith research, and we're happy to credit you once the issue is resolved.