Data Security & Privacy

Protecting user data—both financial and personally identifiable—is the cornerstone of TaxChain’s architecture. Every design choice, from protocol primitives to off-chain services, follows a strict zero-trust, privacy-by-design philosophy that treats the user as the sole sovereign of their information. Below is an exhaustive, technical overview of the mechanisms that safeguard confidentiality, integrity, and availability across the stack.

Security & Privacy Design Principles

Principle
Implementation Touchpoints

End-to-End Encryption

All payloads are encrypted before they leave the user’s device; servers only handle ciphertext.

Minimised Data Surface

The system stores only what is legally required for tax reporting; no advertising, no profiling.

Deterministic Auditability

Every state-changing action (ingest, classify, share, revoke) emits a hash to a public chain.

Separation of Duties

Tracking, classification, storage, and gateway layers operate under isolated credentials.

Configurable Transparency

Users decide which advisors or regulators see which slices of data, for how long, and in what format.

Cryptographic Architecture

Layer
Algorithm(s) / Standard(s)
Purpose

Transport

TLS 1.3 with mandatory ECDHE (X25519)

Prevent MITM & downgrade attacks

Storage

XChaCha20-Poly1305 (content); AES-256-GCM (metadata)

Confidentiality & integrity at rest

Key Derivation

HKDF-SHA-256 w/ context binding

Unique keys per user-month snapshot

Hashing

BLAKE3 for off-chain; Keccak-256 on-chain

Collision-resistant commitments

Signatures

ECDSA (secp256k1) for user ops; Ed25519 for server attestations

Non-repudiation

Secret Sharing

Shamir (k = 2, n = 3)

Social recovery of encryption keys

Key Lifecycle

  1. Generation – Keys are derived client-side; TaxChain never sees raw secrets.

  2. Rotation – A fresh symmetric key Ku,m is created for every user u and calendar month m.

  3. Destruction – When a pNFT expires or is revoked, its associated decryption share is overwritten with random bytes (crypto-secure RNG) and the action is anchored on-chain.

Data-at-Rest Protection

  1. Snapshot Encryption:

    • Each Parquet column chunk is individually sealed with XChaCha20-Poly1305; the header carries a 24-byte nonce derived from BLAKE3(uid‖month‖colIdx).

    • Integrity tags (16 B) are appended, making payload tampering computationally infeasible (2128).

  2. IPFS Cluster:

    • Twelve geo-diverse pinning nodes (EU, US, APAC) replicate encrypted CIDs.

    • Pin records contain only the CID—no user metadata—avoiding linkage attacks.

  3. Cold Storage Back-Ups:

    • Weekly diff bundles are encrypted with a hardware-originating HSM key and archived to S3 Glacier Deep Archive; access requires quorum of the Guardian Council (5-of-9 multisig).

Data-in-Transit Protection

  • Gateway ↔ Advisor traffic is served over HTTP/2 + TLS 1.3 with client-cert mutual authentication.

  • Listener Mesh uses WireGuard tunnels for node-to-node gossip, eliminating plaintext hops.

  • On-Chain Anchors reveal only Merkle roots; actual file CIDs are salted with 32 B random blinding factors, so chain observers cannot infer file sizes or frequencies.

Access Control & Selective Disclosure

Mechanism
Detail

Permission NFTs

Soul-bound ERC-721 tokens with encrypted scope metadata (see § 4.5).

Scope Enforcement

WASM gateway filters requested CIDs against scope hash; denies over-reach.

Least Privilege

Advisors default to read-only, no export until user toggles export_permission.

Time-Bound Keys

Decryption keys embed Unix expiry; gateway discards after TTL hits.

Revocation Granularity

Per-snapshot, per-jurisdiction, or global revocation paths.

All access events write an AAOL entry containing (hash(request), timestamp, advisorWallet, pNFTid); users download the log or prove its integrity via Merkle inclusion proofs.

Privacy-Preserving Analytics

To improve UX (error patterns, compile times) without leaking personal data, TaxChain uses differential privacy with tunable ε. Metrics are aggregated client-side, Laplace-noise is injected (ε = 0.4 default), and the result is posted to the DAO analytics stream.

Regulatory & Legal Compliance

Framework / Law
Compliance Strategy

GDPR (EU)

Right-to-erasure via cryptographic erasure (key burn); data minimisation baked into protocol.

Swiss DPA

Data remains encrypted outside Swiss jurisdiction unless user opts in.

EU DAC8 (reporting)

Users can choose automatic regulator pNFTs; disclosure is opt-in, never default.

EU Data Act (2025)

Full data export in machine-readable JSON & XBRL; no dark-pattern obstacles.

ISO 27001 alignment

Internal policies mirror Annex A controls; annual SOC-2 Type II audit planned Q4 2025.

Secure Compute & Runtime Hardening

  • WASM Sandboxes: All plugin code executes inside wasmtime with syscall white-listing; memory limits (1 MiB) prevent rowhammer-style exploits.

  • eBPF Network Filters: Gateways run eBPF to restrict outbound traffic to IPFS + price-oracle hosts only.

  • RASP Agent: Runtime Application Self-Protection hooks in ML containers kill the pod if heap spray or deserialization anomalies appear.

Penetration Testing & Bug Bounty

  • Quarterly Pentests by Trail of Bits and Hacken cover OWASP, business logic, and novel cryptographic abuse vectors.

  • Immunefi public bounty: rewards up to USD 750 000 for critical RCE or cryptographic failures.

  • Gray-Box Scenario Drills every six months simulate stolen advisor private keys; mean revocation time benchmark ≤ 10 minutes.

Incident Response & Forensics

  1. Detection – Centralised SIEM (Falco + Loki) flags anomalous access or traffic spikes.

  2. Containment – pNFT Gateway enters read-only mode; new mints paused via GovernanceRouter.fastPause().

  3. Eradication – Compromised keys rotated; snapshot re-encryption job triggers with new Ku,m′.

  4. Recovery – TaxGraph remains intact; decryption shares re-issued to users via secure out-of-band channel.

  5. Disclosure – 72-hour breach disclosure SLA in line with GDPR Art. 33.

11 Future Privacy Enhancements

Milestone
Description

zk-PIR Gateway (Q3 2025)

Advisors will query aggregate figures (e.g., total 2025 gains) via zero-knowledge private information retrieval, never touching raw rows.

FHE Cost-Basis Engine (Q2 2026)

Explore TFHE to compute gains/losses on encrypted balances, sending only ciphertext to classification VMs.

Post-Quantum Crypto Plan

Draft migration from ECDSA/Ed25519 to Dilithium signatures and Kyber KEM once NIST finalises standards.

Key Take-Away

TaxChain embeds state-of-the-art cryptography, rigorous access governance, differential-privacy analytics, and transparent audit trails to guarantee that only authorized parties—under explicit, revocable user consent—can ever read or process taxable data. This commitment to security and privacy not only protects users from theft, surveillance, and regulatory overreach, but also establishes the trust foundation required for mainstream adoption of a fully automated, jurisdiction-aware crypto tax protocol.

PreviousProtocol DesignNextSmart Contract Use Cases

Last updated