Secure Financial Data & Tax Compliance

v20260423

fondo-security-basics

This skill provides comprehensive best practices for securing highly sensitive financial and tax data processed by SaaS platforms, such as handling SSNs, EINs, and bank details. It covers critical security mechanisms including API key lifecycle management, webhook signature verification (HMAC), robust input validation (Zod), and PII redaction to ensure compliance with standards like SOC 2 and industry best practices.

Security Finance Compliance PII OAuth Tax API SOC2

Get Skill

409 downloads

Overview

Fondo Security Basics

Overview

Fondo handles startup tax preparation, bookkeeping, and R&D tax credits containing SSNs, EINs, bank account details, revenue figures, and complete tax returns. A breach exposes founder personal tax data, company financials, and IRS filing details. Protect OAuth connections to banking/payroll systems, exported financial documents, and team access controls with the same rigor as a CPA firm.

API Key Management

function createFondoClient(): { apiKey: string; baseUrl: string } {
  const apiKey = process.env.FONDO_API_KEY;
  if (!apiKey) {
    throw new Error("Missing FONDO_API_KEY — store in secrets manager, never in code");
  }
  // Fondo keys access tax returns and SSN/EIN data — treat as highest sensitivity
  console.log("Fondo client initialized (key suffix:", apiKey.slice(-4), ")");
  return { apiKey, baseUrl: "https://api.fondo.com/v1" };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyFondoWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-fondo-signature"] as string;
  const secret = process.env.FONDO_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const TaxFilingSchema = z.object({
  entity_id: z.string().uuid(),
  tax_year: z.number().int().min(2015).max(2030),
  filing_type: z.enum(["1120", "1120S", "1065", "941", "R&D_credit"]),
  ein: z.string().regex(/^\d{2}-\d{7}$/),
  revenue: z.number().nonnegative(),
  status: z.enum(["draft", "review", "filed", "amended"]),
});

function validateTaxFiling(data: unknown) {
  return TaxFilingSchema.parse(data);
}

Data Protection

const FONDO_PII_FIELDS = ["ssn", "ein", "bank_account", "routing_number", "tax_return_url", "revenue", "salary"];

function redactFondoLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of FONDO_PII_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

API keys stored in secrets manager, never in code
OAuth connections (Gusto, QuickBooks, Plaid, Stripe) reviewed quarterly
Financial exports never committed to git (.gitignore enforced)
SSN and EIN values never logged in plaintext
Team roles follow least-privilege (Owner/Admin/Viewer/CPA)
Two-factor authentication enabled on Fondo account
Exported tax documents encrypted with GPG before storage
Bank connections use Plaid (encrypted, not screen-scraping)

Error Handling

Vulnerability	Risk	Mitigation
Leaked API key	Full access to tax returns and SSN/EIN data	Secrets manager + rotation
Unencrypted financial exports	Tax data exposed via CSV on disk	GPG encryption + secure deletion
Stale OAuth tokens	Compromised banking/payroll connections	Quarterly OAuth review + revocation
Overly broad team access	Viewer sees SSN/salary data	Role-based access control enforcement
Tax data in application logs	IRS compliance violation	Field-level PII redaction

Resources

Next Steps

See fondo-prod-checklist.

Info

Category Development

Name fondo-security-basics

Version v20260423

Size 4.02KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-04-28