// Trust & Security Report

    TPS Unlimited, Inc. (d/b/a TaxJar, a Stripe company) logo

    TPS Unlimited, Inc. (d/b/a TaxJar, a Stripe company)

    Cloud-based sales tax compliance platform covering real-time tax calculation, nexus tracking, AutoFile filing/remittance, reporting, and a REST API; sold to small/mid-market e-commerce and SaaS sellers and integrated into Amazon, Shopify, WooCommerce, and Stripe Tax. Acquired by Stripe in 2021; the underlying legal entity remains TPS Unlimited, Inc.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    TaxJar recently underwent a rigorous, voluntary year-long SOC 2, Type 2 audit completed by the independent CPA firm Shellman & Company.

    Verify on taxjar.com
    SOC 2 Type I
    HELD

    Point-in-time SOC 2 Type 1 audit completed February 2020, preceding the year-long Type 2 evaluation.

    Verify on taxjar.com
    GDPR
    HELD

    "GDPR Compliant" badge is displayed in the Compliance/privacy certifications & regulations section of the security page; the Privacy Policy separately commits to EU Standard Contractual Clauses for cross-border transfers covering EEA, UK, and Swiss residents.

    Verify on taxjar.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification; not listed among the certification badges on TaxJar's own security page (which shows only SOC 2, GDPR, and a Cloud Security Alliance badge).

    source: taxjar.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA or Business Associate Agreements anywhere on the vendor's security or privacy pages; product handles transaction/tax data, not protected health information, so HIPAA is out of scope.

    source: taxjar.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on vendor-owned pages. TaxJar calculates/files sales tax and does not itself process cardholder payment data (that is handled by the seller's payment processor, e.g. Stripe).

    source: taxjar.com
    CSA STAR
    NOT CONFIRMED

    The security page displays a "Cloud Security Alliance" badge, but this is not labeled as a CSA STAR certification level (Level 1/2/3) and TaxJar was not found in the public CSA STAR Registry search; treated as an unverified/ambiguous claim rather than a confirmed cert.

    source: taxjar.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of AI governance certification on any vendor-owned page.

    source: taxjar.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on vendor-owned pages.

    source: taxjar.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (Privacy Policy states services are 'hosted in the United States,' with possible processing in other countries where TaxJar or its service providers do business)

    The Privacy Policy contains no statement about using customer data to train AI or machine learning models. TaxJar's product markets 'AI-driven categorization' as a feature, but no vendor-owned page describes training generative/ML models on customer tax data, and none discloses an opt-out because no training claim exists to opt out of. Treated as no evidence of training rather than a confirmed no, since no explicit AI-data-use policy page was found.

    // Security controls

    Encryption in transit and at rest

    AES256 encryption at rest, TLS in transit, SHA2 signatures

    taxjar.com

    Access control

    Least-privilege principle; permission sets reflect job roles

    taxjar.com

    Monitoring

    Cloud SIEM integrated with AWS security analytics for log/alert aggregation

    taxjar.com

    Vulnerability management

    External network vulnerability scans, DAST/SAST web application scans, annual penetration testing

    taxjar.com

    Incident response

    Documented Incident Response & Breach Notification Process covering identification, triage, monitoring, and remediation

    taxjar.com

    Uptime

    Vendor claims 99.999% historical uptime for transaction tax calculation

    taxjar.com

    // Products & data scope

    TaxJar Sales Tax Compliance Platform (calculations, filing, reporting)Core SaaS product, self-serve and mid-market

    data: E-commerce order/transaction data, product categorization, buyer location data (city/province/country minimum for non-US calculations)

    Primary product; covered by the SOC 2 Type II audit and the GDPR/security posture described above.

    Sales Tax APIDeveloper API

    data: Per-transaction data submitted via API call for real-time rate/tax calculation

    Same infrastructure and compliance posture as the core platform per TaxJar's security page; no separate certification scope was found.

    TaxJar & Stripe Tax integrationEmbedded / platform integration

    data: Transaction data shared between Stripe Tax and TaxJar for joint customers

    TaxJar operates as a Stripe company; the Privacy Policy has a dedicated 'TaxJar & Stripe Tax' section, but TaxJar's own compliance certifications (not Stripe's) are what is graded here. Do not conflate TaxJar's SOC 2 with Stripe's separately-audited PCI DSS Level 1 status, which applies to Stripe's payment processing, not to TaxJar's tax platform.

    // What to watch

    • No dedicated third-party trust-center portal (e.g. Vanta/Drata/SafeBase) was found; compliance info lives on a standard marketing 'Security' page rather than a live, continuously-updated trust center, so has_trust_center is set to false.
    • The 'Cloud Security Alliance' badge on the security page is ambiguous: it is not labeled as a specific CSA STAR certification level and TaxJar could not be confirmed in the public CSA STAR Registry; do not upgrade this to a held=true CSA STAR cert without direct registry confirmation.
    • TaxJar is a Stripe-owned subsidiary (legal entity TPS Unlimited, Inc.); Stripe's own extensive certifications (e.g. PCI DSS Level 1) are NOT TaxJar's certifications and were correctly excluded from this assessment to avoid host/parent-vendor conflation.
    • AI-training posture is inferred from absence of any training disclosure, not from an explicit no-training statement; if AIFOXX needs a hard guarantee, this should be confirmed directly with TaxJar sales/security contact before publishing a firm claim.

    // At a glance

    Pricing model

    Subscription tiers (free 30-day trial, paid plans by transaction volume) plus AutoFile add-on per state

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on TPS Unlimited, Inc. (d/b/a TaxJar, a Stripe company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    taxjar.com

    > Browse all vendor trust reports