IRISfile
Sign inStart filing

Security

Built for the data your clients trust you with.

Tax pros handle SSNs, EINs, addresses, and dollar figures that map to people. We treat that data the way the IRS expects: with isolation, encryption, audit trails, and short retention.

Auth

Clerk-backed sessions, MFA available.

Authentication runs on Clerk. Passwords never touch our servers; sessions are JWTs validated at the middleware layer on every protected route.

Multi-factor authentication (TOTP authenticator apps, passkeys) is supported. Each user gets an isolated workspace keyed off their Clerk user ID — no shared accounts, no collaborator-creep on multi-client data.

Data at rest

Postgres with row-level security.

Submissions, records, and amounts live in Supabase Postgres with RLS policies keyed off the authenticated user’s org ID. The service-role key is server-only — it never ships to the browser, and route handlers are gated behind Clerk before any DB call runs.

Database backups are encrypted at rest with AES-256 by the Supabase platform.

Data in transit

TLS 1.2+, HSTS, modern cipher suites.

Every request between your browser, our app, Clerk, Supabase, Stripe, and the IRS A2A API is TLS-encrypted. The marketing site, the app, and the API all enforce HTTPS; HSTS is on at the platform layer.

No customer 1099 data ever flows over an unencrypted channel — including during conversion, submission, or ack-polling.

File handling

Source files: short-lived. XML: yours forever.

When you upload a FIRE / CSV / Excel file, we parse it in-memory, validate, and emit IRIS XML. Source files are not retained as raw blobs in v1 — the structured records hit the database, but the original bytes do not persist past the request.

Generated IRIS XML payloads are stored against your submission so you can re-download, audit, or refile a correction. Retention follows IRS recordkeeping guidance (4 years from due date by default).

IRS posture

One transmitter, one TCC, your records stay yours.

PixelCove LLC is the named Transmitter. Your clients do not need their own Transmitter Control Codes — we file on your behalf as the operator. Submissions are tagged with your org so the IRS audit trail still leads back to you, the tax professional.

Status (2026-04-27): TCC application submitted; IRS expected resolution ~2026-07-01. All A2A development targets the IRS sandbox first per IRS Pub 5718 guidance. Until production approval lands, IRISfile generates filing-ready XML you can also submit via the IRIS Portal manually.

Vendors we trust

Compliance-grade infrastructure underneath.

  • Clerk — auth, sessions, MFA.
  • Supabase — Postgres, RLS, backups (Built on AWS, SOC 2 Type II).
  • Stripe — PCI DSS Level 1 for billing. Card data never touches us.
  • Vercel / Cloudflare — TLS, DDoS protection, edge cache.
  • IRS A2A — OAuth 2.0, signed XML, sandbox-first development.

Reporting issues

Found something? We want to hear.

If you spot a vulnerability or have questions about our handling of a specific data flow, write to security@irisfile.co. We acknowledge within one business day and triage from there.

Posture

Tabular numbers. Audit trails. No data we don’t need.

Try a sample file