Security posture
What was reviewed, and what is protected
ChainTax handles sensitive tax records. This page states the scope of its published security claim without presenting a code review as a certification or a guarantee.
April 2026
Independent route-by-route code review
An independent reviewer examined the application route by route, including authentication and authorisation boundaries, user-owned data access, input validation and rate limits, Stripe checkout and webhooks, background queue and cron authentication, account deletion, and concurrency-sensitive writes.
Findings were recorded and addressed through the normal code, review and automated-test process. ChainTax does not publish the reviewer's identity or raw exploit detail. This was a code review, not SOC 2 certification, ISO certification, or a guarantee that the service has no vulnerabilities.
Current controls
Wallet access
Public wallet addresses only. ChainTax never asks for a seed phrase, private key or signing permission.
Authentication and data
Authentication and the primary database are provided through Supabase. Protected routes check the signed-in user before reading account data.
Payments
Stripe handles card details. ChainTax stores payment references and tax-year access records, not card numbers.
Application controls
Production uses a Content Security Policy, HSTS, frame denial, request validation, rate limits and signed webhook/queue boundaries.
Quality checks
4,800+ automated tests cover tax logic, classifiers, pricing, reports, API routes and important failure cases.
Report a security issue
Email hello@chaintax.co.ukwith a clear description and reproduction steps. Do not access another user's data, disrupt the service, or publish a vulnerability before there has been time to investigate it.
For product limitations and tax-method detail, see how ChainTax works.