Your Data Security is Our Priority

dTax only collects the transaction records you explicitly provide — via CSV upload or read-only API sync. We NEVER collect private keys, wallet seed phrases, or withdrawal credentials. We cannot move, spend, or access your funds in any way.

Exchange API keys are encrypted at rest using AES encryption with a dedicated ENCRYPTION_KEY. User passwords are hashed with bcrypt (12 rounds) — we never store plaintext passwords. All authentication uses stateless JWT tokens, minimizing server-side session attack surface.

Exchange connections use CCXT in read-only mode — no withdrawal or trading permissions are requested or supported. User data is isolated at the database level with row-level security principles, ensuring one user can never access another's data.

Don't trust anyone with your financial data? Self-host dTax with Docker and keep everything on your own server. The core tax engine is AGPL-3.0 open source — you can inspect every line of code that touches your data.

JWT tokens with refresh rotation ensure secure, stateless authentication. Rate limiting protects against brute-force attacks: 100 requests/min globally, 10/min for login, 5/min for registration. Role-based access control separates user and admin privileges.

dTax's tax engine is fully open source on GitHub. Every calculation, every parser, every algorithm is community-auditable. There is no hidden data collection, no telemetry, no analytics cookies. What you see in the code is what runs.

dTax follows OWASP Top 10 security guidelines. All user input is validated with Zod schemas. SQL injection is prevented by using Prisma ORM with parameterized queries — no raw SQL. API responses never leak internal error details in production.