Data Security and Compliance

Safeguarding our clients’ data is our top priority!

The ACAwise team has implemented standard security protocols and mechanisms to ensure the security of our clients data at every stage of the ACA reporting process.

Here is an overview of the data security standards and measures set in place by ACAwise.


  • HIPAA Compliance
    • The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that establishes rules for safeguarding Protected Health Information (PHI).
    • PHI encompasses any data that can be employed to recognize a patient or their health status, therefore, it is extremely sensitive information demanding comprehensive security measures for protection.
    • In its role as a provider of services handling PHI, ACAwise has executed all the necessary security measures to comply with HIPAA regulations. These measures encompass technical, physical, and administrative safeguards to assure the confidentiality, integrity, and accessibility of PHI.
  • SOC 2 Compliance
    • SOC 2 certification is a security benchmark for service organizations created by the American Institute of CPAs (AICPA). It mandates that companies establish and uphold a series of controls and procedures to guarantee the security, reliability, and accessibility of client data.
    • These controls encompass policies and procedures connected to security, accessibility, processing integrity, confidentiality, and privacy. SOC 2 audits assess if a company's systems and processes meet these criteria.
    • As a SOC 2 certified e-file provider, ACAwise is subject to routine audits to confirm that its systems and procedures adhere to the SOC 2 standards to safeguard client data and privacy across all operational facets.
  • CCPA Compliance
    • The California Consumer Privacy Act (CCPA) is a privacy statute that bestows specific rights on California residents concerning their Personal Information (PI).
    • PI encompasses any information that identifies, relates to, characterizes, or can be linked to a particular individual or household.
    • As a provider of services dealing with PI for California residents, ACAwise adheres to all CCPA regulations. This signifies that ACAwise provides California residents the right to be informed about the collection of their PI, the right to access their PI, the right to have their PI erased, and the right to opt out of the sale of their PI.
  • PCI DSS Compliance
    • The Payment Card Industry Data Security Standard (PCI DSS) is a collection of policies and procedures designed to assure secure transactions involving credit, debit, and cash card payments while eliminating the chances of improper utilization of cardholder personal information.
    • All the payment processing tools utilized by ACAwise comply with PCI requirements for the encryption and secure transmission of credit card data.

Data Protection

  • 2FA- Authentication

    ACAwise clients have the option to enable Two-Factor Authentication (2FA) via email and phone for added account security.

  • Firewall

    We've set up a Firewall for our application to filter incoming traffic, check for suspicious patterns, and ensure only authorized access.

  • Antivirus

    Our system is protected by antivirus software that continuously monitors device behavior, files, and applications, identifying anomalies and thwarting potential threats.

  • PII Data Security

    We strictly adhere to standard regulations for safeguarding clients' personal information like Social Security numbers, email addresses, and phone numbers.

  • Encryption - Data-at-Rest, Data-in-Transit & Data-in-Use

    We encrypt client data in our database (data-at-rest) and during transmission (data-in-transit) between networks or devices. We also use SSL and TLS protocols for data being accessed (data-in-use).

  • Database Management

    Access to production databases is limited to those who need it. We perform data fragmentation and regular backups to prevent unprecedented security incidents.

  • Defense-In-Depth Security

    We employ layered security mechanisms and controls for comprehensive security, i.e., Defense-in-Depth architecture.

  • Oracle Cloud Infrastructure Security

    Our database is maintained through Oracle Cloud Infrastructure Security, and our servers are protected by Compute Security.

  • Data Loss Prevention

    We use standard Data Loss Prevention (DLP) practices to prevent sensitive data loss and data exfiltration.

Network Security

  • Secure Remote Access - VPN

    Access to our servers and tools is restricted to authorized ACAwise personnel connected via a secure VPN network. Only authorized IP addresses can access our network.

  • Wireless Security

    Access to our system has been restricted for unauthorized wireless networks to protect data confidentiality.

  • Internet URL Filtering

    In order to prevent the entry of any security threats into our system, we restrict access to websites that contain potentially malicious content (Eg: Phishing Pages) through our network.

Preventive Measures

  • Secure Software Development - DevSecOps

    With the implementation of DevOps Methodology for Testing and deploying, we ensure secure software development throughout the development cycle.

  • Threat Modeling

    We develop strategies to counter security threats and identify vulnerabilities right at the development of our application.

  • Incident Management

    We have standard procedures in place for countering any unprecedented and unexpected security incidents.

  • Change Management

    We carefully plan, test, and validate changes to avoid risks to data. This helps us to ensure that every change we introduce is free from the risks of data loss.

Security Standards

  • Security Policies

    Our policies have multiple measures and guidelines that cover access controls, encryption, audits, and vulnerability assessments.

  • Security Awareness Training

    Our team is well-informed about data security and keeps up with new security technologies, strengthening our collective defense and reinforcing our commitment to data security.

  • Escalation Matrix

    We have a clear procedure for handling security incidents at different levels of escalation.

Security Evaluation

  • Penetration Testing

    We conduct penetration tests following OWASP standards to identify and address web application vulnerabilities.

  • Monitoring and Response

    We monitor and scan our network and applications for security threats and respond proactively if there is any sort of threat identified.

  • Windows/Server Hardening

    We implement server hardening processes to secure our servers against potential attacks.