Security
Enterprise grade protection.
From access management to encryption, Byron enforces rigorous standards to ensure your data stays secure, private, and compliant.
Certified and Compliant
Security and confidentiality aren't features at Byron – they're foundational. We built the platform from the ground up to protect the kind of sensitive financial data CPA firms are trusted to handle.
SOC 2 Type II
Audited annually against the AICPA's Trust Services Criteria for security, availability, and confidentiality.
IRS Publication 4557
Aligned with the IRS Safeguards Rule for tax preparers, including WISP requirements for client data protection.
§7216 compliant by design
Byron is part of your preparation workflow, not a third party. No extra consents required.
Trusted data storage
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. Keys managed in AWS KMS with regular rotation.
No model training
Customer data is never used to train or fine-tune any AI model. Your client work stays your client work.
US-based infrastructure
All data is stored and processed in US data centers. No data leaves the country.
Production isolation
Customer data only lives in production environments that are fully isolated from development.
Audit-grade security
Zero trust architecture
No user or system is trusted by default. Every access request is verified, scoped to the minimum required, and logged.
Role based access control
Byron supports all common Single-Sign-On protocols, ensuring you are in full control over your end-users access to Byron
Independent security testing
Byron is penetration tested annually by an independent firm, following an "assume breach" methodology to surface risks before they're exploited.
Continuous monitoring
Production systems are monitored 24/7 for unauthorized access, anomalous behavior, and configuration drift, with alerts triaged in real time.
Least-privilege access
Engineers are granted only the access required to do their jobs, scoped to the minimum data and systems needed and revoked when no longer required.
Byron makes AI work reviewable.
Every output is designed to be inspected by a reviewer, with source context, approval history, and activity logs tied to the work.
Source-linked outputs
Prepared values trace back to the source document and supporting context.
Reviewer approval
Agents prepare the work. CPAs review, approve, override, and sign off.
Audit history
Edits, comments, approvals, sync events, workbook updates, and exports are logged.
FAQ
Is our data used to train Byron's models?
No. Your firm's data is never used to train any model, ours or our AI providers'. We process it only to prepare your firm's work, underterms that prohibit training on it.
Where is my firm's data stored?
Byron is hosted entirely in the United States on AWS, and your data stays in US-based infrastructure. Every Byron team member with access to firm data is US-based as well.
Is Section 7216 consent required to use Byron?
Byron is a US-based service provider that processes return information solely to help prepare your firm's returns - a use that, for US-based providers in connection with return preparation, generally does not require a separate Section 7216 consent.
However, because the decision to solicit 7216 consent depends on your firm's facts, firms should confirm the right approach with your advisors, and we will provide the documentation to support that review.
What certifications does Byron hold?
Byron is SOC 2 Type II compliant, and we can share the report under NDA. It's backed by encryption in transit and at rest, enforced multi-factor authentication, role-based access, and annual third-party penetration testing.
Who has access to firm data?
Access is limited to authorized, US-based Byron personnelunder role-based, least-privilege controls, and every employee passes a background check and signs a confidentiality agreement. Production access is restricted to a small operations team and protected by multi-factorauthentication.
Does Byron support SSO and role-based access?
Byron enforces multi-factor authentication and role-based access, so your firm controls who can see which clients and engagements.
What happens to our data if we offboard?
When your engagement ends, Byron returns your data in a standard format and deletes it from our systems under documented retention and disposal procedures, with a certificate of destruction available on request.
How are exports controlled?
Exports follow the same role-based permissions as the rest of the platform, so only authorized users can move data into or out of your tax engine, and export activity is logged for audit.
Need the packet your IT team will ask for?
Request the security packet, send your questionnaire, or talk with us about your firm’s requirements.
