top of page

Secured. Trusted. Transparent.

At Total Tax Hosting, we understand that trust is the cornerstone of your business. That’s why we built our cloud hosting platform with security as the foundation, not an afterthought. Powered by Microsoft Azure and aligned with the latest IRS Publication 4557 standards, our infrastructure blends advanced technical safeguards with rigorous operational practices to keep your firm’s data secure, available, and protected.

​

We’ve invested deeply in creating a secure, reliable, and compliant environment so tax professionals can serve their clients with confidence. From multi-factor authentication and end-to-end encryption to daily backups and continuous monitoring, every layer of our system is designed to withstand modern threats.

​

As part of our ongoing commitment to security, we are actively working with a leading compliance firm to achieve SOC 2 Type II certification, ensuring our controls meet the highest industry standards for data security and operational integrity.

​

As part of our commitment to transparency, we’ve published our Written Information Security Plan (WISP). This document outlines the administrative, technical, and physical safeguards we use to secure our systems and protect the sensitive data entrusted to us.

Total Tax Hosting LLC
Written Information Security Plan (WISP)

 

I. OBJECTIVE

The objective of this Written Information Security Plan (WISP) is to establish effective administrative, technical, and physical safeguards for protecting Personally Identifiable Information (PII) that may be accessed or processed by Total Tax Hosting LLC (hereinafter referred to as "the Firm"). While the Firm provides secure cloud hosting infrastructure for tax and accounting professionals, it does not directly manage or retain client tax records or PII. This WISP aligns with the requirements of the Gramm-Leach-Bliley Act (GLBA), IRS Publication 4557, and the FTC Safeguards Rule.

For the purpose of this WISP, PII refers to any client data that may be accessed in the course of hosting environments, including:

  • Social Security numbers, dates of birth, or employment data

  • Financial account numbers or tax filing data

  • E-mail addresses, non-listed phone numbers, or other contact information
     

This plan covers the electronic and operational methods of securing any systems, services, or data that the Firm hosts.

 

II. PURPOSE

The purpose of this WISP is to:

​

A. Ensure the security and confidentiality of client environments hosted on Total Tax Hosting infrastructure.
B. Protect against anticipated threats or hazards to the integrity of hosted systems.
C. Safeguard against unauthorized access to hosted environments that could result in identity theft, fraud, or data loss.

 

III. SCOPE
​

This WISP applies to all systems, employees, contractors, and third-party vendors involved in the operation and maintenance of Total Tax Hosting’s Azure-based cloud infrastructure.

​

Specific protocols include:

A. Identifying foreseeable internal and external risks to hosted environments.
B. Assessing the potential impact of these risks.
C. Implementing technical controls and operational policies to mitigate these risks.
D. Monitoring and reviewing these safeguards regularly to ensure effectiveness.

 

IV. RESPONSIBLE OFFICIALS

Data Security Coordinator (DSC):
The Firm has designated the Principal Operating Officer as the Data Security Coordinator (DSC) responsible for:

  • Implementing and supervising the WISP.
     

  • Overseeing Azure security configurations, including Microsoft Entra ID, Azure Virtual Desktop (AVD), and Recovery Services Vaults.
     

  • Ensuring all employees and contractors complete annual security training.
     

  • Reviewing the security measures annually or when significant changes occur.
     

  • Coordinating incident response and post-incident reviews.
     

Public Information Officer (PIO):
The DSC also serves as the Public Information Officer (PIO) for external communications in the event of a security incident.

 

V. INSIDE THE FIRM RISK MITIGATION
​
PII Collection and Retention Policy

  • Total Tax Hosting does not directly collect or store client PII; however, it is responsible for safeguarding the hosting environments where client data resides.
     

  • Access to hosted environments is restricted to authorized personnel with a legitimate business need.
     

  • All Azure resources, including Recovery Services Vaults and managed disks, are protected with delete locks to prevent accidental deletion.
     

Personnel Accountability Policy

  • All employees and contractors must complete security awareness training on the WISP and the Azure security posture.
     

  • Role-Based Access Control (RBAC) and Privileged Identity Management (PIM) enforce least privilege access.
     

  • Upon termination of employment or contract, user accounts are immediately disabled, and all access to Azure environments is revoked.
     

PII Disclosure Policy

  • Total Tax Hosting employees are prohibited from accessing client PII unless required for system support, and only with authorization.
     

  • Any third-party vendors with access to systems are required to comply with this WISP.
     

Reportable Event Policy

  • Security incidents will be reported immediately to the DSC, who will coordinate notifications to affected clients and regulators as required.
     

  • Post-incident reviews will document the root cause and corrective actions.
     

 

VI. OUTSIDE THE FIRM RISK MITIGATION
​
Network Protection Policy

  • All Azure Virtual Desktop (AVD) environments use reverse connect technology, meaning no public IPs or RDP ports are exposed.
     

  • All session hosts run Windows Defender Firewall enabled by default, providing host-based packet filtering, blocking unsolicited inbound traffic, and enforcing outbound application rules to prevent unauthorized network connections.
     

  • All session hosts also run Windows Defender AntiMalware, which actively scans for and blocks viruses, ransomware, spyware, and other malicious software. Real-time protection ensures that threats are detected and neutralized as soon as they attempt to execute.
     

  • Microsoft Defender for Cloud is enabled with:
     

    • Secure Score monitoring
       

    • Threat detection alerts
       

    • Automated patch management prior to nightly 8:00 PM reboots
       

  • All managed disks use Zone-Redundant Storage (ZRS) for resiliency.
     

  • Recovery Services Vault backups are also stored with ZRS and protected by delete locks.
     

Logging and Monitoring Policy

  • All critical Azure platform logs are collected and retained in Log Analytics for a minimum of 90 days.
     

  • Logs include activity tracking for login attempts, backup events, delete lock changes, and system updates.
     

  • The DSC will periodically review event logs at random intervals not exceeding 90 days to detect unauthorized access or anomalies.
     

Firm User Access Control Policy

  • Multi-factor authentication (MFA) is enforced for all administrative access via Microsoft Entra ID.
     

  • Users are assigned standard privileges by default and cannot install applications or alter AVD session hosts.

​​

Electronic Exchange of PII Policy

  • Client PII transmitted over hosted environments must use encrypted channels (TLS 1.2+).
     

  • Email transmission of PII is prohibited unless protected with AES-256 encryption and shared via separate communication channels.
     

  • The preferred mechanism for client data transfer is a secure client portal with MFA.

bottom of page