Compliance built in,not bolted on.
IRS record-keeping requirements, SOC 2 Type II certification, and GDPR-ready workflows are not add-ons at Axos — they are defaults that apply to every account from the moment you sign up.
Standards we comply with
Applied to every account, on every plan, from day one.
SOC 2 Type II
Independently audited over a 12-month period. Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy.
IRS 7-Year Retention
All documents are automatically retained for a minimum of 7 years in immutable, versioned storage.
GDPR Ready
Data subject rights, right to erasure, breach notification within 72 hours, and privacy by design across all workflows.
AES-256 + TLS 1.3
NIST-approved encryption at rest and in transit. The same standard used by banks and government agencies.
7-year retention,automatic and verifiable.
IRC § 6001 and IRS Rev. Proc. 98-25 require businesses to maintain books and records sufficient to determine correct tax liability for at least 7 years. Axos enforces this automatically on every document uploaded.
7-year minimum retention
The IRS requires businesses to retain tax records for at least 7 years (IRC § 6001). Axos enforces this automatically — documents cannot be permanently deleted during the retention window without an authorized override.
Complete version history
Every version of every document is preserved. If a client's tax return was amended, both the original and amended versions are stored, timestamped, and retrievable.
Tamper-evident records
Stored documents are cryptographically hashed at upload. Any modification attempt is detected. The chain of custody is unbroken from upload to retrieval.
Audit-ready export
Generate a complete, formatted export of any client's documents and activity history at any time — ready for an IRS inquiry, legal hold, or internal review.
Retention timeline
Year 0
Document uploaded
Year 1–3
Active access, fully searchable
Year 4–7
Archived, still retrievable in seconds
Year 7+
Retention window closes — deletion available
Documents flagged for legal hold are exempt from deletion regardless of age.
Every action, logged forever.
Every event in Axos produces a tamper-proof log entry retained for 7 years. Audit logs are separate from application data — they cannot be modified or deleted by any user, including administrators.
Exportable at any time
Export a full audit report for any date range in CSV or PDF — IRS-ready, court-admissible.
Immutable records
Log entries are cryptographically chained. Retroactive modification is detectable and rejected.
Events logged
Document uploaded
File name, size, uploader, timestamp, IP address
Document accessed
User, timestamp, IP, device, session ID
Document downloaded
User, timestamp, destination device info
E-signature requested
Sender, recipient, document, timestamp
E-signature completed
Signer identity, timestamp, IP, certificate hash
Permission changed
Changed by, changed for, old role, new role, timestamp
User login / logout
User, timestamp, IP, device, success/failure
Failed login attempt
User, IP, device, attempt count, timestamp
Five trust service criteria, continuously audited
SOC 2 Type II covers your firm's audit trail if a client or regulator ever asks how their data is protected. We provide the evidence.
Security
The system is protected against unauthorized access.
Availability
The system is available for operation as committed.
Processing Integrity
Processing is complete, accurate, timely, and authorized.
Confidentiality
Confidential information is protected as committed.
Privacy
Personal information is collected, used, and retained appropriately.
Enterprise clients can request the full SOC 2 Type II audit report under a mutual NDA for their own vendor due diligence and compliance programs.
Contact Salesarrow_forwardYour data. Your clients. Your control.
GDPR-ready architecture, strict data isolation, and a zero-monetization commitment on all client data.
Right to erasure (Article 17)
Data subject erasure requests are honored within 30 days. Erasure applies to personal data outside the IRS retention window. Documents within the retention window are flagged but preserved for compliance.
Per-tenant data isolation
Your firm's data is isolated at the storage, compute, and network layers. Cross-tenant access is architecturally impossible. No shared databases, no shared file systems.
No data monetization
Your clients' data is never analyzed, sold, or shared with third parties for advertising or product improvement purposes. We have no revenue model that depends on data access.
72-hour breach notification
In the event of a confirmed data breach affecting personal data, affected customers are notified within 72 hours per GDPR Article 33 and applicable US state data breach laws.
Data residency
Enterprise accounts can specify geographic data residency requirements. Data processing and storage can be restricted to specific regions on request.
Privacy by design
Data minimization is applied at every layer. We only collect what is necessary to operate the service. Anonymized analytics are used for product improvement — never individual-level data.
Compliant from your very first document.
Start your 14-day free trial. IRS retention, audit trail, and SOC 2 infrastructure apply to your account immediately — no configuration required.