Secure 1099 Filing — Enterprise-Grade Security for Tax Data

Why Security Matters for 1099 Filing

Every 1099 form you file contains personally identifiable information (PII) that, if exposed, could lead to identity theft and financial fraud. The IRS requires filers to implement reasonable security measures to protect taxpayer data, and penalties for data breaches involving tax information can be severe.

Beyond compliance, your recipients — contractors, vendors, and payees — trust you with their most sensitive personal information. That trust demands robust security at every stage of the filing process, from data entry to IRS transmission to long-term storage.

256-Bit AES Encryption

All data stored in Thomas Ledger is encrypted at rest using 256-bit AES encryption, the same standard used by banks and government agencies. This means that even in the unlikely event of unauthorized access to our storage systems, your data remains unreadable without the encryption keys.

Encryption in Transit

Every connection to Thomas Ledger is secured with TLS 1.3 encryption. Whether you are entering data through our web interface, uploading a bulk CSV file, or our system is transmitting your forms to the IRS through IRIS, the data is encrypted end to end.

Encryption Key Management

Encryption keys are managed through a dedicated key management service with automatic key rotation. Keys are never stored alongside the data they protect, and access to key management systems is restricted to a small number of authorized personnel with multi-factor authentication.

SOC 2 Type II Compliance

Thomas Ledger has achieved SOC 2 Type II certification, which means an independent auditor has verified that our security controls are not only properly designed but have been operating effectively over an extended period. SOC 2 Type II covers five trust service criteria:

• Security — Protection against unauthorized access through firewalls, intrusion detection, and multi-factor authentication.
• Availability — System uptime and performance commitments, with redundant infrastructure and disaster recovery plans.
• Processing integrity — Assurance that data is processed completely, accurately, and in a timely manner.
• Confidentiality — Controls ensuring that sensitive information is accessible only to authorized parties.
• Privacy — Policies and practices governing the collection, use, and retention of personal information.

Our SOC 2 report is available upon request for enterprise customers and accounting firms. Contact us to request a copy.

Access Controls and Authentication

Multi-Factor Authentication

Every Thomas Ledger account supports multi-factor authentication (MFA) using authenticator apps or hardware security keys. For team accounts, administrators can require MFA for all users.

Role-Based Access Control

Control who can view, edit, and submit 1099 forms within your organization. Assign roles such as viewer, preparer, reviewer, and administrator to ensure proper separation of duties. This is especially valuable for accounting firms and CPA practices managing multiple team members.

Audit Logging

Every action in Thomas Ledger is logged — who accessed which records, when forms were created or modified, when filings were submitted, and when data was exported. Audit logs are retained for seven years and are available for download at any time.

Session Management

Sessions automatically expire after a period of inactivity. Administrators can configure session timeout durations and view active sessions across their organization.

Data Handling and Retention

Minimal Data Collection

We collect only the information required to prepare and file your 1099 forms. We do not sell, share, or monetize your data in any way.

Secure Data Storage

All data is stored in SOC 2 certified data centers located within the United States. Our infrastructure uses redundant storage across multiple availability zones to ensure data durability and availability.

Data Retention and Deletion

You control your data. Filed returns are retained for the IRS-recommended period to support corrections and audits. You can request complete deletion of your data at any time, and we will purge all records within 30 days of your request.

TIN Masking

Taxpayer Identification Numbers are masked throughout the application interface. Full TINs are only displayed when explicitly requested by an authorized user and only for the specific record being viewed. Masked TINs show only the last four digits.

IRS Compliance and Secure Transmission

When you file through Thomas Ledger, your forms are transmitted to the IRS through the IRIS system using IRS-approved secure channels. Our transmitter credentials are issued directly by the IRS, and all transmissions follow IRS Publication 1220 specifications for electronic filing of information returns.

We maintain our IRS Transmitter Control Code through annual testing and recertification, ensuring our integration remains current with IRS requirements.

All security features are included at every pricing tier — there is no premium security add-on.

Infrastructure Security

• Web application firewall — All traffic is filtered through a WAF that blocks common attack patterns including SQL injection, cross-site scripting, and request forgery.
• DDoS protection — Distributed denial-of-service mitigation ensures the platform remains available even during attacks.
• Vulnerability scanning — Automated security scans run continuously against our application and infrastructure. Critical vulnerabilities are patched within 24 hours.
• Penetration testing — Independent security firms conduct annual penetration tests of our application and infrastructure. Findings are remediated on a priority basis.
• Incident response plan — We maintain a documented incident response plan that is tested regularly. In the event of a security incident, affected customers are notified promptly in accordance with applicable breach notification laws.

Frequently Asked Questions About Security