
What to Look for in Cloud Services for Tax Professionals
The best cloud services for tax professionals are secure, IRS-compliant platforms that allow tax practitioners to prepare returns, manage client data, and run workflows through remote servers while meeting federal security standards. These requirements include IRS Publication 4557, IRS Publication 5293, the FTC Safeguards Rule, and IRS Publication 1075 standards governing Federal Tax Information (FTI).
Selecting the right cloud service requires evaluating security architecture, compliance certifications, data residency guarantees, and vendor stability. Non-compliance exposes firms to IRS sanctions including Electronic Filing Identification Number (EFIN) suspension, FTC penalties up to $46,517 per violation, and data breach costs averaging $4.88 million per incident according to IBM Security's 2024 Cost of a Data Breach Report.
As of the 2026 tax season, the IRS has increased scrutiny of cloud-based tax systems following credential compromise incidents that resulted in fraudulent return filings. Tax professionals must verify that their cloud providers maintain SOC 2 Type II attestations, enforce multi-factor authentication (MFA) across all access points, and provide audit logs sufficient to demonstrate compliance during IRS examinations. For a full overview of your firm's security obligations under federal law, see our IRS Publication 4557 compliance guide.
Cloud Security for Tax Professionals: By the Numbers
IBM Cost of Data Breach Report 2024
FTC civil penalty ceiling under the Safeguards Rule
Baseline guarantee for IRS-compliant cloud hosting
Understanding Cloud Deployment Models for Tax Practices
The best cloud services for tax professionals span three primary deployment models, each with distinct operational characteristics and security implications. Understanding these models allows tax practitioners to select solutions that balance accessibility, control, and compliance requirements specific to handling Federal Tax Information.
Software as a Service (SaaS) Solutions
Software as a Service (SaaS) solutions provide complete tax preparation applications accessed through web browsers without requiring local software installation. Cloud-native SaaS platforms typically come in two interface styles that determine how preparers interact with the software.
Interview-based interfaces guide preparers through a structured question-and-answer sequence, prompting for each required piece of information in order. This approach reduces the risk of omitting fields and works well for less experienced preparers or straightforward individual returns. Form-based interfaces replicate the visual layout of official IRS tax forms, giving experienced preparers direct access to any field without following a guided workflow. Most enterprise SaaS tax platforms offer both modes, allowing firms to match the interface to each preparer's experience level and the complexity of the return.
SaaS offerings eliminate server maintenance burdens and deliver automatic software updates without disrupting filing workflows. They require careful vendor evaluation, though, to confirm IRS Publication 1075 compliance and data sovereignty guarantees.
Infrastructure as a Service (IaaS) for Desktop Software
Infrastructure as a Service (IaaS) enables firms to host traditional desktop software, such as Intuit ProSeries, CCH ProSystem fx, and Thomson Reuters UltraTax, on virtual servers managed by specialized hosting providers. This model preserves familiar desktop workflows while delivering cloud accessibility through Virtual Desktop Infrastructure (VDI) or Remote Desktop Services (RDS). IaaS solutions appeal to firms with significant investments in existing desktop software licensing and staff training. Leading providers including Rightworks, Ace Cloud Hosting, Summit Hosting, and Verito offer dedicated or shared virtual machines running the full desktop tax application through secure remote connections.
Platform as a Service (PaaS) for Custom Solutions
Platform as a Service (PaaS) environments offer customizable development platforms for firms building proprietary tax solutions or integrating multiple applications into unified workflows. While less common for small and mid-sized practices, PaaS models support enterprise firms requiring custom integrations between tax, accounting, audit, and practice management systems.
Regardless of deployment model, every cloud service handling Federal Tax Information must include contractual data residency guarantees ensuring that information remains within United States boundaries. Offshore storage of FTI violates federal regulations and can trigger immediate suspension of e-filing privileges.
IRS Compliance Requirements for Cloud Services
The IRS imposes stringent requirements on cloud services handling Federal Tax Information under IRS Publication 1075, "Tax Information Security Guidelines for Federal, State and Local Agencies." While primarily directed at government agencies, these standards establish baseline security expectations for all systems processing FTI, including commercial cloud platforms used by tax practitioners. For a detailed breakdown of how the FTC Safeguards Rule overlaps with IRS requirements, see our FTC Safeguards Rule guide for tax preparers.
Cloud providers must implement physical security controls including restricted access to data centers with biometric authentication, 24/7 video surveillance with 90-day retention, visitor escort policies, and environmental controls protecting against fire, flood, and power disruptions. Logical access controls require unique user identification, role-based access restrictions, session timeouts after 30 minutes of inactivity, and thorough audit logging of all access to Federal Tax Information.
Encryption and Network Security Standards
The IRS mandates encryption for FTI both at rest and in transit using FIPS 140-2 validated cryptographic modules. Cloud services must employ AES-256 encryption for stored data and TLS 1.2 or higher for network transmissions. Encryption key management must include documented procedures for key generation, distribution, storage, rotation, and destruction, with cryptographic keys maintained separately from the encrypted data they protect. For a technical primer on how these protections work at the implementation level, see our guide on hashing vs. encryption for tax professionals.
Network security requirements include boundary protection through firewalls and intrusion detection systems, network segmentation isolating FTI from other data, and monitoring of all network traffic accessing tax information. The best cloud services for tax professionals implement defense-in-depth architectures where multiple security layers provide redundant protection.
Major public cloud infrastructure providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, offer FedRAMP-certified environments suitable for tax data, though tax-specific applications built on these platforms must independently verify IRS Publication 1075 compliance. FedRAMP authorization alone does not guarantee that a specific application meets all IRS requirements for FTI handling. The IRS also requires that any changes to cloud infrastructure supporting tax operations be reported within 45 days, including modifications to data center locations, security architectures, or service provider ownership. Failure to maintain continuous compliance can result in suspension of e-filing privileges.
Cloud Provider Evaluation Checklist
- Verify SOC 2 Type II attestation report covering security, availability, and confidentiality trust service criteria
- Confirm U.S.-based data residency with contractual guarantees explicitly prohibiting offshore storage of FTI
- Validate IRS Publication 1075 compliance through a completed security questionnaire or third-party assessment
- Ensure AES-256 encryption for data at rest and TLS 1.2 or higher for all data in transit
- Require multi-factor authentication enforcement for all user accounts without exception
- Review incident response procedures and breach notification timelines before signing any contract
- Confirm 99.9% or better uptime SLA with financial remedies for service failures
- Verify automated backup retention of at least 30 days with point-in-time recovery capabilities
- Obtain evidence of annual penetration testing and vulnerability assessments
- Review vendor financial stability, business continuity planning, and key-person dependencies
2026 IRS Infrastructure Reporting Requirement
The IRS requires all changes to cloud infrastructure supporting tax operations, including data center relocations, security architecture changes, and service provider ownership transfers, to be reported within 45 days. Failure to notify the IRS of qualifying changes can result in suspension of e-filing privileges. Review your WISP documentation to confirm all vendor changes are captured and reported promptly.
Essential Security Features in Cloud Services for Tax Professionals
Beyond baseline compliance requirements, the best cloud services for tax professionals incorporate multiple layers of defense-in-depth security controls. The Cybersecurity and Infrastructure Security Agency (CISA) recommends security architectures that address threats at the application, data, network, and identity layers simultaneously, not just at the perimeter.
Encryption Implementation Standards
Encryption forms the foundation of secure cloud services for tax professionals. Both the IRS and FTC require encryption of sensitive data, with specific implementation standards determining actual protection levels. Industry best practices call for AES-256 encryption for data at rest, ideally using hardware security modules (HSMs) or cloud provider key management services with customer-managed encryption keys that give your firm control over the key lifecycle.
All connections should use TLS 1.3 where supported, with TLS 1.2 as the minimum acceptable standard; legacy SSL protocols must be disabled entirely. Application-layer encryption should protect particularly sensitive data elements such as Social Security numbers, bank account numbers, and authentication credentials. Encryption keys must be rotated on defined schedules, typically every 90 to 365 days depending on data sensitivity, and stored and managed independently from the encrypted data they protect.
Multi-Factor Authentication Requirements
Multi-factor authentication (MFA) has moved from optional best practice to a mandatory regulatory control under both IRS Publication 5293 and the FTC Safeguards Rule, which explicitly require MFA for accessing systems containing taxpayer or customer financial information.
Effective MFA combines something you know (password or PIN), something you have (hardware token, mobile authenticator app, or smart card), and optionally something you are (biometric verification such as fingerprint or facial recognition). The best cloud services for tax professionals support phishing-resistant authentication methods such as FIDO2/WebAuthn hardware security keys or certificate-based authentication. These methods cannot be compromised through phishing attacks, unlike SMS-based one-time codes, which remain vulnerable to SIM-swapping attacks. Our guide to phishing attacks explains why SMS codes fall short for high-risk environments.
Conditional access policies should implement risk-based authentication requiring additional verification when unusual access patterns are detected: new device registration, unfamiliar geographic location, off-hours access attempts, or requests from known malicious IP addresses. MFA enforcement must extend to all systems accessing tax data without exception, including primary tax software, document management systems, email platforms, client portals, and administrative interfaces. A single unprotected access point undermines all other controls.
Implementing Cloud Services: Step-by-Step for Tax Practices
Inventory Your Current Systems
Document all software, data flows, and third-party integrations touching taxpayer information before evaluating cloud options.
Evaluate Vendors Against IRS Publication 1075
Request SOC 2 Type II reports, data residency documentation, and completed IRS security questionnaires from shortlisted providers.
Review Contractual Protections
Confirm data processing agreements cover FTI handling, breach notification timelines, and offshore storage prohibitions before signing.
Configure Role-Based Access Controls
Map each staff role to minimum necessary permissions and eliminate shared credentials before migrating any client data.
Enforce Multi-Factor Authentication
Enable MFA on all accounts accessing tax systems, prioritizing phishing-resistant methods such as FIDO2 hardware keys or authenticator apps.
Test Backup and Recovery Procedures
Verify automated backups are running, confirm retention meets the 30-day IRS minimum, and perform a test restore before going live.
Update Your WISP
Document every new cloud service, vendor relationship, and data flow in your Written Information Security Plan to stay IRS-examination-ready.
Desktop Tax Software Hosting Solutions
For firms preferring traditional desktop tax applications, including Intuit ProSeries, CCH Axcess Tax, Drake Tax, and Thomson Reuters UltraTax, specialized hosting providers enable cloud access while maintaining familiar workflows. Leading providers including Rightworks, Ace Cloud Hosting, Summit Hosting, and Verito offer Virtual Desktop Infrastructure (VDI) where each user receives a dedicated or shared virtual machine running the full desktop tax application through a secure remote connection.
These specialized hosting providers offer distinct advantages for tax practices committed to desktop software ecosystems. SOC 2 Type II certified data centers provide physical access controls including biometric authentication, 24/7 video surveillance, environmental monitoring, and redundant infrastructure protecting against power failures and natural disasters. Managed services handle server maintenance, operating system updates, software patching, backup management, and security monitoring, eliminating the need for in-house IT infrastructure and the associated staffing costs.
Application compatibility ensures desktop tax software runs identically to on-premises installations, including support for third-party integrations such as document scanning systems, document management platforms, electronic signature tools, and tax research databases. Hosting providers typically guarantee 99.9% to 99.99% uptime, equivalent to 8.76 to 0.876 hours of annual downtime, backed by service level agreements with financial remedies for failures that exceed these thresholds.
Backup retention is a meaningful differentiator among providers. Ace Cloud Hosting provides 45-day incremental backups with multiple recovery points, exceeding the IRS-recommended 30-day minimum, while Summit Hosting offers customizable backup retention extending to 90 days for firms with enhanced business continuity requirements. Confirming backup retention and recovery point objectives before signing is essential because not all providers meet the IRS baseline by default.
Remote access flexibility enables tax professionals to work from any location using Windows, macOS, Linux, iOS, or Android devices through web browsers or dedicated remote desktop clients. For guidance on securing remote access to tax systems, see our VPN selection guide and our guide for securing remote work environments.
Need Help Securing Your Cloud Environment?
Bellator Cyber Guard helps tax professionals evaluate cloud providers, configure security controls, and build IRS-compliant WISPs. Our team has supported over 4,000 tax practices nationwide.
Client Portals, Collaboration Features, and Access Controls
The best cloud services for tax professionals extend beyond internal operations to client-facing capabilities that strengthen service delivery while maintaining IRS and FTC compliance. Secure client portals have become essential differentiators enabling practices to compete effectively against larger firms while eliminating the security risks of exchanging sensitive documents by email. For a detailed breakdown of what to require from a portal solution, see our guide to security of tax client portals.
Modern client portals provide encrypted document exchange that replaces insecure email attachments. Clients upload W-2s, 1099s, mortgage interest statements, and other source documents directly to secure storage. End-to-end encryption protects documents from upload through processing to final deletion, with access controls ensuring only authorized staff and the specific client can view uploaded materials.
E-signature integration enables clients to review and approve tax returns remotely without printing, signing, and scanning documents. Leading platforms integrate with DocuSign, Adobe Sign, or proprietary e-signature solutions meeting IRS requirements for electronic signatures on Forms 8879 (IRS e-file Signature Authorization). This capability accelerates return approval cycles and reduces administrative burden during peak filing season. Secure messaging features provide encrypted communication channels between tax professionals and clients, with audit trails and retention policies that match the security standards applied to the returns themselves. Some platforms offer mobile apps enabling clients to upload documents via smartphone camera and receive status notifications, a differentiator for practices competing for mobile-first clients.
Role-Based Access Control for Tax Firms
Role-Based Access Control (RBAC) ensures users can access only information necessary for their specific job functions. Properly configured RBAC reduces insider threat risks, limits the impact of compromised credentials, and demonstrates compliance with the principle of least privilege required by IRS Publication 1075 and the FTC Safeguards Rule.
Tax preparers typically receive permissions to create and edit returns, access client documents, communicate through secure portals, and e-file completed returns. They cannot delete historical returns, modify system security settings, or access clients outside their assigned caseload. Reviewers and partners receive all preparer rights plus the ability to approve returns before filing and view firm-wide productivity reports, but should not manage user accounts or modify security configurations unless specifically authorized. Administrative staff handle client communication, scheduling, and billing without accessing complete tax returns or modifying tax data. IT administrators manage accounts and security configurations but should not access client tax data unless needed for troubleshooting a specific technical issue, and such access should be logged and time-limited.
The best cloud services for tax professionals provide granular permission controls enabling practices to implement segregation of duties, customize roles beyond standard templates, and maintain audit logs of all access to sensitive data for compliance verification and incident investigation.
Bottom Line
A single compromised account with over-provisioned access can expose every client record in your firm. Configure role-based access controls to grant minimum necessary permissions by role, log all access to tax data, and review user permissions quarterly or immediately following any staff change.
Incident Response, WISP Integration, and Financial Benefits
Despite thorough security measures, cloud environments may experience security incidents requiring rapid, coordinated response. A documented incident response plan specific to your cloud environment ensures your practice can detect, contain, investigate, and recover from security events while maintaining IRS and FTC compliance obligations. For detailed guidance on building your incident response capabilities, see our incident response planning guide for tax practices.
Your cloud-specific incident response plan must address detection and alerting mechanisms including cloud provider security notifications, automated monitoring alerts, and staff reporting procedures for suspicious activity. Immediate containment procedures must cover revoking compromised credentials, isolating affected systems, disabling compromised user accounts, and implementing temporary access restrictions to prevent lateral movement through your environment. Data breach notification requirements vary by state, typically 30 to 90 days, and must also include IRS notification procedures for Federal Tax Information breaches, FTC reporting obligations under the Safeguards Rule, and state attorney general notifications where required.
Documenting Cloud Services in Your WISP
Every cloud service your practice uses must be documented in your Written Information Security Plan (WISP). The IRS requires that your WISP reflect your actual operating environment, including all cloud platforms, hosting providers, client portals, and third-party integrations. A WISP that describes only on-premises infrastructure when your firm actually operates in the cloud creates a compliance gap that can surface during an IRS examination or FTC investigation.
Your WISP cloud services section should document the name and function of each cloud service, the vendor's security certifications and compliance posture, data flows showing what information enters and exits each platform, your firm's contractual data processing agreements with each vendor, and the staff member responsible for each vendor relationship. The WISP must also describe how your firm monitors vendor compliance over time, not just at initial onboarding. Annual vendor reviews, examination of current SOC 2 Type II reports, and documentation of any vendor-reported security incidents demonstrate the ongoing due diligence the IRS and FTC expect to see.
The Financial Case for Cloud Adoption
The financial case for cloud-based tax services extends well beyond compliance. Firms moving from on-premises infrastructure to hosted desktop solutions typically eliminate capital expenditures for servers, backup hardware, and on-site IT support, converting unpredictable capital costs into predictable per-user monthly fees that scale with the size of the practice. For firms with seasonal staffing patterns, cloud services scale up during peak season and back during slower months, avoiding the cost of provisioning hardware for temporary staff.
The risk calculus matters too. A single data breach dwarfs the annual subscription cost of even the most full-featured cloud tax platform. Cloud services with built-in security controls, automated patching, and managed monitoring reduce the probability of a breach event while also reducing the internal staff time required to maintain security posture. Practices that previously employed part-time IT contractors to manage on-premises servers often find that managed cloud hosting delivers superior security outcomes at comparable or lower annual cost. Automated error detection, missing-information alerts, and real-time calculation validation also reduce the likelihood of filing errors that trigger IRS correspondence, amended return requirements, or preparer penalties under IRC Section 6694.
What This Means for Your Practice
Cloud services for tax professionals are not just a technology choice; they are a compliance decision. Every platform your firm uses to store, process, or transmit client tax data must be evaluated against IRS Publication 1075 and FTC Safeguards Rule requirements, documented in your WISP, and reviewed annually. Treating cloud vendor selection as a routine IT purchase rather than a compliance obligation creates the greatest exposure during IRS examinations and FTC investigations.
Book a Free Tax Cybersecurity Assessment
Our experts will evaluate your cloud services, security controls, and WISP against IRS Publication 1075 and FTC Safeguards Rule requirements, and provide a prioritized action plan at no cost.
Frequently Asked Questions
The best cloud services for tax professionals combine IRS Publication 1075 compliance, SOC 2 Type II certification, U.S.-based data residency, AES-256 encryption, and enforced multi-factor authentication. For SaaS solutions, cloud-native tax preparation platforms from major vendors provide browser-based access with automatic updates. For desktop software hosting, providers such as Rightworks, Ace Cloud Hosting, Summit Hosting, and Verito offer IRS-compliant virtual desktop environments running Intuit ProSeries, CCH Axcess Tax, Drake Tax, and Thomson Reuters UltraTax. The best option for your firm depends on your software preferences, staff size, and compliance requirements.
SOC 2 Type II attestation is the minimum security baseline for cloud services handling taxpayer data. A SOC 2 Type II report, issued by an independent auditor, demonstrates that a provider's security controls have been tested and found effective over a period of time, typically six to twelve months. This is a key indicator of whether a provider's security posture is real and sustained rather than just documented on paper. Always request the most recent SOC 2 Type II report and review it before signing any contract.
IRS Publication 1075 sets out the security requirements for systems handling Federal Tax Information (FTI). While the document is primarily directed at government agencies, the standards it establishes define the security baseline the IRS expects for all systems processing tax data, including commercial cloud platforms used by private tax practitioners. Key requirements include AES-256 encryption, FIPS 140-2 validated cryptographic modules, 30-minute session timeouts, and 90-day video surveillance retention at data centers hosting FTI.
Yes. Specialized hosting providers including Rightworks, Ace Cloud Hosting, Summit Hosting, and Verito offer Virtual Desktop Infrastructure (VDI) environments that run desktop tax software in the cloud. Users access these virtual desktops through secure remote connections from any device. This approach preserves familiar software workflows while delivering cloud accessibility, managed security, and SOC 2 Type II certified infrastructure without requiring firms to replace their existing desktop software licenses.
Interview-based interfaces guide preparers through a structured question-and-answer sequence covering all required information in a logical order. This works well for less experienced preparers and straightforward returns because it reduces the risk of missing required fields. Form-based interfaces replicate the visual layout of actual IRS tax forms, allowing experienced preparers to navigate directly to any field without following a guided workflow. Most enterprise SaaS platforms offer both modes, enabling firms to match the interface to each preparer's experience level and return complexity.
IRS Publication 5293 and the FTC Safeguards Rule require multi-factor authentication for all systems accessing taxpayer information. Acceptable methods include mobile authenticator apps (such as Google Authenticator or Microsoft Authenticator), FIDO2/WebAuthn hardware security keys, smart card or certificate-based authentication, and biometric verification combined with a second factor. SMS-based one-time codes are technically compliant but are considered weaker because they are vulnerable to SIM-swapping attacks. Phishing-resistant methods such as FIDO2 hardware keys provide the strongest protection and are increasingly required by security-conscious cloud providers.
A confirmed data breach involving taxpayer information can result in suspension of your Electronic Filing Identification Number (EFIN) by the IRS, which prevents your firm from e-filing any returns. Beyond EFIN suspension, breaches can trigger FTC enforcement under the Safeguards Rule with penalties up to $46,517 per violation, state attorney general investigations, client lawsuits, and professional liability claims. The IRS requires affected firms to notify the agency and cooperate fully with any investigation. Maintaining a documented incident response plan and a current WISP reduces both your exposure and your response time if a breach occurs.
Your Written Information Security Plan should document every cloud service your firm uses to store, process, or transmit taxpayer data. For each service, document the vendor's security certifications and compliance posture, data flows showing what information enters and exits the platform, your contractual data processing agreements with the vendor, the staff member responsible for the vendor relationship, and your procedures for monitoring vendor compliance over time. The IRS expects your WISP to reflect your actual operating environment. A plan describing only on-premises infrastructure when your firm operates in the cloud creates a compliance gap. Our free 2026 WISP template includes dedicated sections for documenting cloud services and vendor relationships.
Per-user monthly costs for cloud-hosted desktop tax software typically range from $40 to $120 per user per month depending on the provider, software licenses included, storage allocation, and service level. SaaS tax platforms vary widely, from entry-level products priced per return to enterprise subscriptions priced per preparer seat. When evaluating total cost, compare against the full cost of maintaining on-premises infrastructure: server hardware, backup hardware, IT support, and software maintenance. Most mid-sized practices find that managed cloud hosting delivers equal or better security outcomes at comparable or lower all-in annual cost.
A well-designed WISP template provides a starting framework that meets the structural requirements of IRS Publication 4557 and the FTC Safeguards Rule, but it must be customized to reflect your firm's actual systems, software, personnel, and cloud services. A generic template used without customization is unlikely to satisfy an IRS examiner because it will not accurately describe your specific operating environment. Our free 2026 WISP template is built around IRS Publication 4557 requirements and includes dedicated sections for documenting cloud services, vendor relationships, and incident response procedures.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.



