Security at Payrollix

Payrollix handles some of the most sensitive data a business holds: Social Security numbers, employee bank accounts, federal and state tax IDs, and wage records. This page describes the controls we have in place to protect that data, the compliance posture we operate under, and how to report a security issue.

1. Infrastructure

Payrollix runs on Amazon Web Services in the us-east-1 (N. Virginia) region. All production workloads, databases, queues, and document storage are located in the United States.

• Backend: FastAPI application hosted on AWS ECS/EC2
• Database: PostgreSQL on AWS RDS with encryption at rest
• Cache & queues: Redis and Celery workers for asynchronous tax filing and payroll jobs
• Document storage: Amazon S3 with server-side encryption (SSE)
• Dedicated Elastic IP: Outbound traffic to government tax systems originates from a static IP (3.233.206.195) that is registered with the IRS MeF gateway, Connecticut DRS, Ohio DOR, and other state agencies that require source-IP allowlisting. This IP is intentionally pinned and never released.
• Container isolation: Each service runs in an isolated container with least-privilege IAM roles

2. Encryption

All data is encrypted both in transit and at rest using industry-standard algorithms.

• In transit: TLS 1.2 or higher for all HTTPS traffic between browsers, mobile apps, our API, and our sub-processors
• At rest: AES-256 encryption for AWS RDS (PostgreSQL) and S3 (document and tax-filing archive storage via SSE)
• Backups: Encrypted with the same AES-256 standard and retained within AWS us-east-1
• Key management: AWS-managed keys via KMS; no plaintext key material handled by application code

3. Authentication & Access

Access to Payrollix is gated by per-user credentials with optional second-factor authentication.

• Password storage: All passwords are hashed with bcrypt using a per-user salt; we never store plaintext passwords
• Session tokens: Signed JWT session tokens with short-lived expiry
• Multi-factor authentication (MFA): Available for all user roles; required for administrative roles
• Role-based access control: Separate portals for accountants, clients, employees, SMBs, and platform administrators, each with scoped permissions
• Biometric login (mobile): Face ID and Touch ID on iOS, fingerprint on Android, gated by the device's secure enclave (Payrollix never receives biometric data — see our Privacy Policy)

4. Data Handling & Retention

Payrollix retains records for the period required by federal and state tax law, then destroys them.

• Tax filings: All filed 941, 940, W-2, W-3, 1099-NEC, 1096 and related documents are archived to Amazon S3 with a minimum 4-year retention to satisfy IRS recordkeeping requirements
• Payroll records: Retained 7 years per IRS regulations (see Privacy Policy)
• Data residency: All customer data resides in the United States (AWS us-east-1). We do not replicate data outside the US
• Document archive: Each tax filing artifact (XML, PDF, MIME package, acknowledgment) is keyed under tax-filings/{client_id}/{tax_year}/{form_type}/ in a private S3 bucket
• Deletion: On verified account closure, we retain records for the legally required period and then securely destroy them

5. Compliance Posture

Payrollix operates under several regulatory and certification regimes. We do not claim certifications that we have not earned — current status is listed below.

• SOC 2 Type 2: In progress. AWS Organization consolidation across our seven product accounts is underway to align audit scope. We will publish the report and audit window once the engagement is complete.
• IRS MeF authorized A2A transmitter: Payrollix is an IRS-authorized application-to-application (A2A) transmitter for the 94x family of forms.
  • ETIN: 12374
  • Software ID: 26994223
• E-SIGN Act & UETA: Our in-house electronic signature implementation (we do not use DocuSign or third-party e-sign vendors) captures a full audit trail per signature, including IP address, user-agent, timestamp, authentication method, and document hash
• PCI DSS scope: Minimized. Subscription card payments are tokenized and processed by Stripe; Payrollix systems never store full PAN data
• Banking compliance: ACH origination is performed by our partner Moov Financial through Veridian Credit Union (federally insured ODFI); see Privacy Policy § 3

6. Sub-Processors

Payrollix relies on a small set of contractually bound sub-processors to deliver the service. The full list with data categories and locations is maintained in our Privacy Policy.

• Amazon Web Services (AWS): Cloud infrastructure, database, and document storage (us-east-1)
• Moov Financial: ACH origination and payment orchestration
• Middesk: Business identity verification (KYB) and state tax registration assistance
• Sentry: Application error tracking and monitoring
• Stripe: Subscription billing for Payrollix accounts (keeps PCI scope off our infrastructure)

7. Audit Logging

Every state-changing action on the platform is recorded in an append-only audit log. Each entry captures:

• The acting user ID and role
• The action performed and target resource
• The source IP address and user-agent string
• A UTC timestamp

Audit logs cover payroll runs, tax filings, e-sign events, banking changes, employee onboarding, and administrative actions. Logs are queryable by authorized administrators for incident investigation and customer-facing audit-trail exports.

8. Incident Response

Payrollix maintains an internal incident response process. In the event of a data breach affecting your personal or payroll information, we commit to notify affected customers within 72 hours of discovery, consistent with applicable state breach-notification laws and the timeline referenced in our Privacy Policy.

Notification will include, at minimum, the nature of the incident, the categories of data involved, the steps we have taken in response, and recommended actions for affected users.

9. Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in Payrollix, please email security@payrollix.com with:

• A description of the issue and its potential impact
• Steps to reproduce, including any proof-of-concept code or screenshots
• The URL, endpoint, or component affected
• Your name or handle for acknowledgment (optional)

We ask that researchers give us a reasonable opportunity to investigate and remediate before public disclosure, avoid accessing or modifying customer data, and avoid actions that degrade service for other users. We will acknowledge receipt within two business days.

10. Contact

For questions about Payrollix security practices, or to request additional information for a vendor security review:

• Security: security@payrollix.com
• Privacy: privacy@payrollix.com
• Phone: 1-800-PAYROLL (1-800-729-7655)
• Address: ReasonWorks AI Inc. (d/b/a Payrollix), Attn: Security, 1449 South Michigan Avenue, STE 13207, Chicago, IL 60605