Security and Privacy Procedures

Your security and privacy are very important to everyone at WCG. We want to outline the various policies and procedures which are implemented to protect your confidential information.

Building Security

Our Colorado Springs office building is a single-tenant structure and is locked after hours. All guests and clients who arrive at our office must check in with one of our Client Support team members. During tax season, it is common to have 30 to 35 employees throughout our 6,500 square feet of office space.

Our Mitchell, Laramie and Ahmedabad office buildings are multi-tenant structures, and our suites are locked during (and outside of) business hours. Our Ahmedabad office also has a biometric scanner for additional screening.

All employees are continuously aware of their surroundings and challenge anyone who is not escorted or recognized.

Employee Mandates

We require all employees to be aware of security and privacy, and to sign a Non-Disclosure Agreement. All new employees are screened with a background check through Checkr, and we also conduct credit and financial screening periodically for employees with access to sensitive client financial information. Since WCG employees have various levels of access to client banking information, credit and financial background checks are an important part of our security process.

Remote Work Arrangement

Our in-office employees work remotely 2 to 3 days per week, and about 2/3 of our team works remote full-time. We have policies about client privacy and confidentiality that extend to remote work. For example, all remote employees must have a space with a door to allow for safe and private client conversations, whether on the telephone or by video conference. We also do not allow anyone other than the employee to use the remote computer.

Speakerphone

All employees are equipped with cordless headsets that allow them to keep working with two hands while on hold or speaking with a client. Speakerphone is strongly discouraged for the sake of both efficiency and privacy. If speakerphone is used, we will always announce that you are on speakerphone and name the listening participants.

Meeting and Call Recordings

To make sure nothing gets missed, we record our video meetings and phone calls with clients. We use these recordings to generate accurate recap and summary emails, to capture action items and decisions, and to add the relevant details to your client record so our team always has the full context of our conversations.

We always ask if it is okay to record before we begin. If you would prefer that a conversation not be recorded, just say so, and we will respect that without any issue.

Your recordings and transcripts are treated with the same care as every other part of your client record. They are stored securely within our systems and are never emailed or shared directly with you or anyone else. When we follow up after a meeting, we send a written recap drawn from the conversation, not the raw recording or transcript itself.

Printers

WCG is generally a paperless work environment. Workflow management and document interaction are primarily electronic. Each workstation is equipped with three monitors to allow for efficient use of electronic documents.

While uncommon, at times certain documents, including tax returns, are printed. Printers are routinely monitored by the Tax Support team, and all employees are required to retrieve printouts immediately after printing. On our Closing Checklist, the last Tax Support or Client Support team member of the day must shred all printouts.

Printing is not allowed outside WCG offices and is controlled by our IT vendor.

Shredding

Locked shred depositories are located next to the printer-copiers and throughout the offices. A bonded shredding company periodically arrives to shred the documents on-site.

File Servers

Our hosted environment is backed up multiple times daily with revisionary control and deep cold storage retention, managed within the Rightworks secure cloud platform. Rightworks specializes in serving accounting firms and maintains enterprise-grade backup, redundancy, disaster-recovery, and security controls.

Data Hosting and Off-Shoring Protection

WCG has established WCG Global Services Pvt Ltd, our own wholly-owned subsidiary in India, to assist us with tax return preparation, tax planning and accounting services. Building our own offshore team, rather than contracting with a third party, gives us direct control over hiring, training, security, and quality. Most importantly, it allows us to chart a clear career trajectory for our team members which improves retention and ultimately increases data security in general.

We also realize that identity protection and security are top of mind for everyone. WCG follows (and goes beyond) the accounting industry’s best practices, including IRS compliance directives, to safeguard your data. Fortunately, there are excellent resources and guidelines from the hundreds of CPA firms that have done this before us.

Specifically, WCG has data concentration in four areas: Tax Software, Client Documents, Workflow, and Electronic Tax Binders.

Our Tax Software is hosted by Rightworks, a managed cloud provider that specializes in serving accounting firms and that maintains enterprise-grade security and compliance controls. Our client document management system is hosted directly by Citrix ShareFile. Our Workflow is hosted by CanopyTax, which started as a tax resolution business. Our Tax Binders are hosted by SurePrep, a best-in-class company recently acquired by Thomson Reuters.

Access to hosted systems is controlled through role-based permissions, security groups, unique credentials, and multi-factor authentication. Where appropriate, we segregate access between offshore and stateside teams.

Local Computers

Client source documents, tax files, and other high-security client records are maintained in WCG-approved systems and are not intentionally stored on local laptops, portable external drives, or other unmanaged devices. Email may be accessible on encrypted, managed laptops and mobile devices, but those devices are protected through WCG’s security policies and endpoint controls.

Each WCG-managed device is encrypted, and our IT vendor provides Endpoint Detection and Response (EDR), which is advanced security software designed to continuously monitor computers, servers, and mobile devices. Unlike traditional antivirus software, which primarily blocks known malware, EDR uses behavioral analytics to track device activity, flag suspicious behavior, and respond to potential threats.

Artificial Intelligence (AI) Tools

Like the rest of the profession, WCG uses artificial intelligence (AI) tools to work smarter and deliver more value to you. We believe in being transparent about this rather than hiding it. Here is how we use AI, and how we protect you when we do.

• Where we use AI. We use AI tools in three ways: to help prepare tax returns, to analyze completed tax returns (including generating plain-language explanations of your return), and to support tax planning and strategy. In every case, a qualified WCG tax professional directs the work and reviews the output. AI assists our team; it does not replace the professional judgment, review, and responsibility you are paying us for, and it does not make final decisions about your tax return.
• Who we use. We use established, professional-grade AI providers under written agreements that include confidentiality, security, data-use, and model-training restrictions. These providers maintain strong security controls, encrypt data in transit and at rest, and are contractually prohibited from using your information to train their AI models. We evaluate each provider’s data processing terms, security practices, and processing location before client tax information is used with that provider.
• What we protect. When we use AI tools to analyze a completed tax return or to support tax planning, we mask or remove the most sensitive identifying information, specifically Social Security numbers, dates of birth, driver’s license or state ID numbers, and bank account and routing numbers, before that information is provided to an AI tool. Other tax return information, such as your name, address, and the financial details on your return, may be processed by these tools so that they can do useful work.
• Tax return preparation. When AI tools are used to help prepare your tax return itself, the full return information is required to produce an accurate filing, so the masking described above does not apply to that preparation step. These tools operate as our contracted service providers under the same federal confidentiality rules (Internal Revenue Code sections 7216 and 6713) that govern everyone who handles your return.
• Your consent and your choice. Where federal law requires your consent for us to use or disclose your information, we ask for it directly and plainly, and you are always free to decline. If declining affects a specific workflow, vendor, offshore staffing option, or timing, we will explain the practical impact and offer available alternatives.
• Initial quote materials. If you submit tax documents to us for an initial quote, those documents are reviewed as submitted and are not masked because quoting materials arrive in many formats we do not control. Before the upload window opens, our intake form asks for your permission to review the uploaded materials using the tools and workflows described there. If you would prefer that we review your quote materials without AI tools, you may choose that option or contact us before uploading.

Consent Versus Disclosure: How We Handle Your Permission

We believe in being loud and proud about how we work. We do not hide our use of offshore team members or technology behind fine print, and we do not play hide-the-ball. Federal law, including Internal Revenue Code section 7216 and related Treasury Regulations, restricts how tax return preparers may use or disclose tax return information. In some situations, your affirmative consent is required before we proceed. In others, the rules allow the work under a recognized exception, but we still disclose it plainly because transparency matters to us.

• Where we ask for your consent. In these situations, federal law requires your knowing, voluntary permission before we proceed, and we ask for it directly and plainly. You are always free to decline, and declining never affects our willingness or ability to prepare and file your tax return.
• Disclosure to our India team. When WCG discloses tax return information to WCG Global Services Pvt Ltd in India for tax return preparation or related services, federal law generally requires your consent before that disclosure. We obtain that consent directly and plainly.
• AI-assisted analysis of your tax return. When our use of AI involves a use or disclosure of tax return information that requires consent under federal law, we ask for your consent first. In some cases, we may also ask for consent as a client-protection practice even where the rules are not perfectly clear.
• Where we simply disclose. In these situations, the law permits us to proceed under a recognized exception, so no separate consent is required. We still tell you plainly that we do it, because transparency matters to us.
• AI-assisted tax return preparation. When we use professional AI tax preparation tools to help prepare your return, those tools act as our contracted service providers and are bound by the same federal confidentiality rules (sections 7216 and 6713) that govern our own team. No separate consent is required, but we want you to know we use them.
• Our own team and routine processing. Sharing your information among WCG team members in the United States who work on your return, and routine processing through our secure software systems, falls under standard exceptions and requires disclosure, not consent.

If you ever have a question about who touches your information or why, just ask. We would rather have that conversation in the open than leave you wondering.

Content Control

Employee internet access is filtered against approved content categories, and many high-risk categories are restricted because they are common sources of malware, phishing, and unwanted content.

Email Washer

All emails sent to WCG go through a mail-washer program that compares the sender to known spammers and authors of malware and viruses. The mail washer also denies certain file types as attachments. As a result, all ZIP and EXE files are excluded. Citrix ShareFile can handle large files, so zipping or compressing documents is usually unnecessary.

Emailed Tax Returns

Tax returns, and similar high-security files, are uploaded to your ShareFile folder for safe retrieval. If you need a copy emailed to you (or to others), we do that through an encrypted email using Citrix ShareFile.

Email Etiquette

Our Associate Handbook has very specific email policies and procedures, including the ones above. We will never send personal information such as Social Security numbers, dates of birth, or passwords through email.

Client Document Management

We use ShareFile by Citrix to securely allow you to upload files to us, and for us to upload files to you. They use 256-bit encryption and market themselves specifically to firms in the financial and accounting industries. We use a mapped network drive to your ShareFile folder for ease of retrieval and file movement, but data is retained by Citrix ShareFile and never downloaded to a local computer (endpoint) or file server.

Online Digital Forms

WCG has selected Formstack and Jotform as our third-party providers of secure digital forms. They are best in class for ease of use, and also best in class for security. All sensitive information is encrypted and is never emailed. All WCG employees must enter a unique password plus 2FA / OTP to retrieve forms with sensitive information (such as SSN, driver’s license, and banking information).

Credit Card Payments

Credit card numbers and associated information are encouraged to be entered directly into our CanopyTax credit card processing web portal. We also accept PayPal payments.

Please contact us with any additional questions or concerns. We hope this overview helps explain the policies, procedures, and technology safeguards WCG uses to protect your security and privacy.