SOC 2 Type II
AICPA Trust Services Criteria - Security, Availability, Confidentiality.
Controls in place · final audit Q3 2026
Implemented controlsSecurity & trust
Tax work is sensitive. Revax is engineered to ensure that everything you put into the platform is confidential & protected at every layer.
Principles
Your data stays yours. Your inputs, outputs, and uploaded documents are never used to train, fine-tune, or improve any model - ours or our providers'. Contractual in our service agreement with clients, and our model providers under zero-retention terms.
You decide what's uploaded, set retention policies, and delete at any time. Data is held in-region in ISO-aligned cloud infrastructure, with hard-delete on offboarding within 30 days.
SSO via SAML 2.0 and OIDC (Okta, Entra, Google), enforced MFA, and role-based access on a least-privilege basis. A full audit log of every query and draft, streamable to your SIEM.
TLS 1.3 in transit and AES-256 at rest. Every customer workspace is logically separated.
Annual independent third-party penetration testing, automated vulnerability scanning, and continuous monitoring across both infrastructure and application.
A DPA and security addendum with binding terms. Security incidents are notified within 24 hours of confirmation; personal-data breaches within 72 hours.
Certifications
AICPA Trust Services Criteria - Security, Availability, Confidentiality.
Controls in place · final audit Q3 2026
Implemented controlsInformation security management system certification.
Controls in place · final audit Q3 2026
Implemented controlsUK NCSC-accredited cyber hygiene certification.
Certified · Renewed annually
Implemented controlsDPA available on request, including the UK International Data Transfer Addendum.
Aligned · DPA on request
Implemented controlsOur trust centre offers granular transparency. Additional compliance documentation is ready for your review on request.