Information Security Overview

At SafeSend security is very important to us, which is why we have created this statement to disclose how we protect your account data. Your trust is imperative to our mission, not only as a business but as people. We want you to feel secure when using SafeSend and SafeSend Returns. Below you’ll find how SafeSend manages data:

Cloud Hosted Servers and Data Centers
The SafeSend Returns servers are hosted on Microsoft Azure servers located in the United States. Microsoft Azure utilizes advanced firewalls and intrusion detection technology to provide the highest level of security for our customers. The SafeSend Returns servers and firewall are monitored on a 24/7 basis. Each SafeSend and SafeSend Returns client has its own siloed database within Microsoft Azure.

Web Application Firewall

All SafeSend websites are protected by a web application firewall. The sites are behind the firewall, then when they are accessed we use a 2048-bit SSL encryption. All databases are encrypted and stored in the Microsoft® Azure cloud. Our sites follow the latest OWASP 3.1 Ruleset.

Data Backup

Daily back-ups are performed by Microsoft Azure. The data stored in those backups is never decrypted during the process, and backup media is physically secured at all times to ensure the utmost in security. Azure backups are rotated in encrypted form to alternate secured locations in the event of a natural disaster.

Data in Transfer
All data is protected by full encryption during transmission and the rest using SHA256 certificates under TLS 1.2 encryption.

Penetration Testing
At least every 12 months penetration testing is performed by a third party to evaluate the security of the SafeSend information technology environment. Testing procedures are used to simulate users attempting to gain unauthorized access to system resources and data by using known vulnerabilities and other “hacking” techniques. Testing of external-facing components, including internet protocol (“IP”) addresses and Uniform Resource Locators (“URL(s)”) simulates a user attempting to gain access to system components through publicly accessible endpoints from the Internet.

SOC 2 Examination
SafeSend is required to have a Type 1 SOC 2 examination annually. The examination reports on the assertions made by management in their controls with regards to the AICPA Trust Services Principles and Criteria regarding:

  • Security
  • Confidentiality
  • Availability

Attachment File Virus/Malware Scan 

SafeSend performs a basic virus/malware scan on files uploaded by taxpayers. It will recognize known malicious files and the file upload will fail. This basic scan may not catch all malicious files, so end users need to follow safe file download practices. 

Reporting Security Issues
If you have discovered a vulnerability in a SafeSend product, please email us at: Please include a detailed summary of the issue including the name of the product (e.g., SafeSend) and the nature of the issue you believe you’ve discovered. SafeSend will respond to your notification within a reasonable amount of time and will quickly work to fix the reported vulnerability.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Article is closed for comments.