Ten questions to vet any AI tool before client data gets anywhere near it. Covers §7216, your WISP, encryption, data retention, and vendor diligence.
Under §7216, tax preparers face up to $1,000 per violation plus criminal penalties for unauthorized disclosure of tax return information. YourWritten Information Security Plan (WISP) is a legal obligation in most states.
“I pasted it into ChatGPT” is not a defense. These ten questions close that gap.
Join the AI Tax Pro list. New prompts, templates, and resources — no spam, unsubscribe anytime.
No spam. Unsubscribe anytime. TaxProExchange respects your inbox.
Consumer tiers often train on your inputs. Business tiers typically exclude your data from training and let you set retention policies. If the tool only offers a free tier, assume your data trains the model.
US-based storage is preferred. Cross-border data flows create additional compliance obligations. Ask for the data center region and whether sub-processors are used.
These certifications mean an independent auditor has verified the vendor's security controls. If they don't have one, ask for their security white paper or pen test results.
TLS 1.2+ for transit, AES-256 for at rest. Should be standard, but confirm it in writing. If they hesitate or can't describe their encryption, that's your answer.
Your WISP requires secure disposal when data is no longer needed. The tool should let you delete data and confirm it's gone from all systems including backups within a defined window.
Who accessed what, when, and from where. If you can't audit access, you can't detect a breach. Some vendors charge extra for this — budget for it.
Get the data export and deletion process in writing before you sign. If the vendor goes under, you need to know your data won't end up in an asset sale.
A sign that security is taken seriously internally. If they don't have one, they may not be finding or fixing vulnerabilities proactively.
Secret sprawl is a common breach vector. The tool should support secure credential storage and not log sensitive fields.
A Business Associate Agreement (HIPAA) or Data Processing Agreement (GDPR) governs how they handle data on your behalf. For tax data, get something equivalent in writing even if HIPAA doesn't directly apply — the standard matters.
If a tool gets 7 or more “yes” answers, it passes basic diligence for non-sensitive use. For anything touching tax return information, you want 9 or 10 — and you still de-identify before input.
Fewer than 7? Either the tool isn't enterprise-ready, or the vendor isn't transparent enough to trust with client data. Move on.
Use this with every tool in the series
Read the Toolkit article →