Security posture

What was reviewed, and what is protected

ChainTax handles sensitive tax records. This page states the scope of its published security claim without presenting a code review as a certification or a guarantee.

April 2026

Independent route-by-route code review

An independent reviewer examined the application route by route, including authentication and authorisation boundaries, user-owned data access, input validation and rate limits, Stripe checkout and webhooks, background queue and cron authentication, account deletion, and concurrency-sensitive writes.

Findings were recorded and addressed through the normal code, review and automated-test process. ChainTax does not publish the reviewer's identity or raw exploit detail. This was a code review, not SOC 2 certification, ISO certification, or a guarantee that the service has no vulnerabilities.

Current controls

Wallet access

Public wallet addresses only. ChainTax never asks for a seed phrase, private key or signing permission.

Authentication and data

Authentication and the primary database are provided through Supabase. Protected routes check the signed-in user before reading account data.

Payments

Stripe handles card details. ChainTax stores payment references and tax-year access records, not card numbers.

Application controls

Production uses a Content Security Policy, HSTS, frame denial, request validation, rate limits and signed webhook/queue boundaries.

Quality checks

4,800+ automated tests cover tax logic, classifiers, pricing, reports, API routes and important failure cases.

Report a security issue

Email hello@chaintax.co.ukwith a clear description and reproduction steps. Do not access another user's data, disrupt the service, or publish a vulnerability before there has been time to investigate it.

For product limitations and tax-method detail, see how ChainTax works.