Secure 1099 Filing — Enterprise-Grade Security for Tax Data

Why Security Matters for 1099 Filing

Every 1099 form you file contains personally identifiable information (PII) that, if exposed, could lead to identity theft and financial fraud. The IRS requires filers to implement reasonable security measures to protect taxpayer data, and penalties for data breaches involving tax information can be severe.

Beyond compliance, your recipients — contractors, vendors, and payees — trust you with their most sensitive personal information. That trust demands robust security at every stage of the filing process, from data entry to IRS transmission to long-term storage.

256-Bit AES Encryption

All data stored in Thomas Ledger is encrypted at rest using 256-bit AES encryption, the same standard used by banks and government agencies. This means that even in the unlikely event of unauthorized access to our storage systems, your data remains unreadable without the encryption keys.

Encryption in Transit

Every connection to Thomas Ledger is secured with TLS 1.3 encryption. Whether you are entering data through our web interface, uploading a bulk CSV file, or our system is transmitting your forms to the IRS through IRIS, the data is encrypted end to end.

Encryption Key Management

Encryption keys are managed through a dedicated key management service with automatic key rotation. Keys are never stored alongside the data they protect, and access to key management systems is restricted to a small number of authorized personnel with multi-factor authentication.

IRS-Authorized Filing

Thomas Ledger holds the IRS authorizations required to transmit information returns directly on your behalf — not through a third-party intermediary, and not via portal upload. The credentials below are issued by the IRS and verifiable through IRS channels.

• IRS IRIS authorization — Active. We are an IRS-authorized e-file provider transmitting 1099-NEC and 1099-MISC through the Information Returns Intake System.
• ACA AATS acceptance for TY2025 — IRS-accepted in the Assurance Testing System under Software ID 25A0024798. AATS acceptance is the IRS's formal sign-off that our software produces compliant 1094-C / 1095-C output and can transmit through AIR in production.
• Software Developer TCC: TB4WJ — registered for AIR development and AATS testing.
• Transmitter TCC: TB4PF — registered for AIR production transmission on customer behalf.

For prospects with formal vendor-security requirements that go beyond IRS authorization, contact us and we'll share our security control framework and supporting documentation.

Access Controls and Authentication

Multi-Factor Authentication

Every Thomas Ledger account supports multi-factor authentication (MFA) using authenticator apps or hardware security keys. For team accounts, administrators can require MFA for all users.

Role-Based Access Control

Control who can view, edit, and submit 1099 forms within your organization. Assign roles such as viewer, preparer, reviewer, and administrator to ensure proper separation of duties. This is especially valuable for accounting firms and CPA practices managing multiple team members.

Audit Logging

Every action in Thomas Ledger is logged — who accessed which records, when forms were created or modified, when filings were submitted, and when data was exported. Audit logs are retained for seven years and are available for download at any time.

Session Management

Sessions automatically expire after a period of inactivity. Administrators can configure session timeout durations and view active sessions across their organization.

Data Handling and Retention

Minimal Data Collection

We collect only the information required to prepare and file your 1099 forms. We do not sell, share, or monetize your data in any way.

Secure Data Storage

All data is stored in AWS data centers within the United States, with redundant storage across multiple availability zones to ensure durability and availability. No customer data is transmitted outside the U.S.

Data Retention and Deletion

You control your data. Filed returns are retained for the IRS-recommended period to support corrections and audits. You can request complete deletion of your data at any time, and we will purge all records within 30 days of your request.

TIN Masking

Taxpayer Identification Numbers are masked throughout the application interface. Full TINs are only displayed when explicitly requested by an authorized user and only for the specific record being viewed. Masked TINs show only the last four digits.

IRS Compliance and Secure Transmission

When you file through Thomas Ledger, your forms are transmitted to the IRS through the IRIS system using IRS-approved secure channels. Our transmitter credentials are issued directly by the IRS, and all transmissions follow IRS Publication 1220 specifications for electronic filing of information returns.

We maintain our IRS Transmitter Control Code through annual testing and recertification, ensuring our integration remains current with IRS requirements.

All security features are included at every pricing tier — there is no premium security add-on.

Infrastructure Security

• Web application firewall — All traffic is filtered through a WAF that blocks common attack patterns including SQL injection, cross-site scripting, and request forgery.
• DDoS protection — Distributed denial-of-service mitigation ensures the platform remains available even during attacks.
• Vulnerability scanning — Automated security scans run continuously against our application and infrastructure. Critical vulnerabilities are patched within 24 hours.
• Penetration testing — Independent security firms conduct annual penetration tests of our application and infrastructure. Findings are remediated on a priority basis.
• Incident response plan — We maintain a documented incident response plan that is tested regularly. In the event of a security incident, affected customers are notified promptly in accordance with applicable breach notification laws.

Frequently Asked Questions About Security