Data Security Plan

This document outlines Calyx’s data security policies. They are compliant with Internal Revenue Service (IRS) and Federal Trade Commission (FTC) requirements and recommendations for protecting customer information. Please see the references at the end of this document for more information and a list of relevant publications.

Calyx contracts with an outside computer specialist that manages Calyx’s information and  technology infrastructure. There is a designated partner-level employee that supervises the specialist and serves as the main point of contact for any issues related to information security. These individuals have full Admin privileges over all aspects of the security infrastructure. No other individuals have full Admin access at all levels.

Safeguards are audited and documented by a third party security specialist on a monthly basis.

Risk assessment is reviewed and documented annually.

All staff are required to confirm on an annual basis via signed statement that they have read and conform with Calyx’s security policies.

Dedicated Computers for Business Use Only

All Calyx staff including remote and offshore workers are provided with business-owned equipment that is dedicated exclusively for business use and may not be used for personal activities or shared with any other person for any reason. Calyx staff may not share computers amongst themselves.

Calyx operates an onsite server that hosts tax software data and dedicated onsite remote computers for each staff member. This enables access to tax software that can only be accessed through onsite machines.

All computers run the latest software for Windows operating systems.

Staff Hiring

The hiring process for all Calyx staff including employees and contractors includes multiple interviews, reference checks, and skills and assessments tests. The employment contract for contractors specifies that they must work exclusively for Calyx as full-time employees.

Security Software

All Calyx computers are loaded with an endpoint security software including anti-spyware and virus protection. It includes an Admin management console online portal so computers can be monitored remotely for potential breaches. All computers can also be deactivated, locked and wiped remotely by management. Automatic notifications are sent to management noting any suspicious activity. All software settings are set to automatically update to assure the computers are equipped with the latest version of the software. Virus scans are conducted automatically daily.

A hardware firewall/router routes internet to onsite machines. A virtual private network is used to access onsite equipment. Drive encryption is used to protect files using BitLocker encryption on all computers.

All computers run Windows 10 or 11 Pro. Each staff is provided with a dedicated Microsoft Business account which enables Admin control over various Windows login and other security policies. Controls which can be applied by management and propagated across all machines. Here are security policies that are currently in place.

• Microsoft Business Account password required at sign-in
• Automatic sign-out of after period of inactivity
• Multi-factor authentication required on sign in

Passwords

Calyx uses LastPass software to store and manage all passwords for all Calyx staff. It is a dedicated password management software that enables Admin access and control over all user accounts. Management can not view or alter passwords created by individual staff but each user account can be disabled or deleted at the Admin level. In addition, security policies (described below) can be enabled by the management and propagated across all user accounts.

All passwords are required to be stored in LastPass. Staff are prohibited from storing passwords through any means other than LastPass. Each user creates a Master Password which gives them access to their Vault account (where passwords are stored). Each user manages their own Vault. Calyx sets certain minimum requirements for passwords which all staff must adhere to.

• Minimum of 12 characters using at least 3 of the following character sets: uppercase, lowercase, numerical, and special characters (#s, ^ and similar).
• Unique passwords so no reusing of passwords for multiple entry points.

Shared Folders are used to share certain passwords that multiple staff can access. All shared folders are managed at the Admin level and folder access permissions can be set at the individual user level. For shared passwords for all staff excluding Partner level staff, password permissions are set to Read Only and Hide Passwords. Staff are unable to modify or view shared passwords. Passwords are automatically entered into website login entry screens vs. being manually entered by staff members.

Security policies are set at the Admin level and are controlled by the software which ensures that all users comply with the policy. Here are the policies that are currently in place.

• Master password required to be entered each time at login
• Master password length set to minimum of 12 characters
• Minimum character set in master password set to 3, i.e. requires that at least one character from any 3 of the 4 character sets are included: uppercase, lowercase, numeric, and special (!#$,^ and similar)
• Read Only and Hide Passwords level access for staff for shared passwords
• Account automatic logoff on browser close
• Restrict sharing to shared folders
• Super Admins can reset individual user Master Passwords
• Multi-factor authentication required

Multi-factor authentication is required to be used whenever possible and practicable. Multi-factor authentication is required for the following applications.

• Google Workspace
• Intuit
• LastPass

For access to client banking Calyx requires that the client create a dedicated user account for Calyx employees that can be set to view only access level permissions. If it’s not possible to create a user account for Calyx and/or it’s not possible to set the user account to view only access then Calyx will not accept login credentials to the account. View only access should generally only include the ability to download and view transactions and statements. Calyx does not accept access from clients for client banking that enables any financial transactions such as transferring, crediting, or debiting financial accounts of any sort. Calyx does not share/accept passwords with/from clients, i.e. use the client’s login credentials to access their financial accounts even if the client wishes Calyx to do this.

App Management

Calyx uses a variety of cloud based accounting applications. Each staff member gets their own dedicated user account to each software and unique login credentials–Calyx does not ‘share’ access to apps among different staff. Staff members are only given access to applications that are necessary for them to complete their work.

Wireless Networks

All wireless networks are required to meet a minimum standard of encryption, this includes both on and offsite staff. Offsite workers are required to use routers that are capable of using WPA2 encryption and hosting multiple networks. They are also required to establish dedicated networks for business use only that are not shared with friends or family, for example, when the networks are located in a home environment.

Calyx uses wired networks onsite. Wireless network options are also available including a dedicated internal network and guest network all using WPA2 encryption. These are filtered using a hardware firewall.

When accessing Calyx systems using public networks, staff are directed to login to their remote machines (dedicated machines located onsite) using Calyx’s VPN redirect option, which routes all internet traffic via Calyx’s internal internet access. This option is enabled automatically each time an employee accesses their remote machine.

Stored Client Data

Client tax data is contained on a dedicated server located at the main Calyx office in Medford, Oregon. The main password is known by an outside computer and security specialist. Data is backed up daily using a cloud based backup software application.

Client documents are also stored on Smart Vault which is a third party Secure File Transfer software specifically designed for accountants and tax preparation providers. It is a cloud based system, no files are stored on local computers. There is a file browser application stored on the local machine that requires separate login credentials.

Smart Vault is managed at the Admin level and user access can be removed at any time. Each client also has access to their Smart Vault portal which they can access through their web browser to access their documents. Calyx sets permissions and access for each folder and user within the main Vault folder.

Local Office Onsite Security Against Theft or Unauthorized Access

The Calyx main office in Medford, Oregon is open during regular business hours. Local staff may access the building during off-hours to work. There is a security system in place that includes alarms for all the entryways and also recorded video surveillance. The security system is constantly monitored by an outside security systems provider. The security system is required to be turned on whenever the last employee leaves the building. Each staff member has their own access code which is entered via a keypad inside the building.

The computer server and remote access computers are located in a locked closet inside the building which is always kept shut and locked.

EFIN/PTIN Monitoring

All tax returns are filed using a unique Electronic Filing Identification Number (EFIN) that is issued by the IRS. It’s possible that a malicious actor could gain access to the EFIN and fraudulently post returns with it. In order to determine if any fraudulent returns are being filed, Calyx periodically reviews reports that compare the number of returns posted to Calyx’s unique EFIN with the number of returns filed using our tax software.

Employees are required to read and sign off on Calyx’s security policies each year stating that they have read and understand the policies. They are also provided with a copy of IRS Publication 4557, Safeguarding Taxpayer Data and Publication 5293, Data Security Resource Guide for Tax Professionals which they are required to read and understand. Here are some of the items that are covered in the publications especially with regards to Phishing Attempts.

• Identifying suspicious emails – perpetrators posing as legitimate individuals or businesses
• Sending emails using the user email address or similar looking address
• Urgent email subject lines
• Requests to click on embedded links or embedded attachments
• Requests for personal or sensitive information
• Never download attachments from unknown sources
• Use secure file transfer applications when sending files over email
• Not disclosing passwords to anyone for any reason

Calyx maintains a $1,000,000 Cyber insurance policy that provides for financial assistance to support cases in which there is potential data loss or breach. Depending on the nature and extent of the breach Calyx will contact relevant agencies such as the Internal Revenue Service, Federal Bureau of Investigation, Federation of Tax Administrators, State Attorneys General, and State Revenue Departments as well as the local police. Calyx will work with our dedicated outside security specialist to determine the nature and extent of the breach. Individual clients will be contacted as necessary. The incident will be reported to our Cyber insurance provider.

• FTC Safeguards Rule
• Publication 4557, Safeguarding Taxpayer Data
• Publication 5293, Data Security Resource Guide for Tax Professionals
• Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns