• US - English
  • Australia - English
  • Europe - English
  • Canada - English
  • Canada - Français

  • Services

    • Credits & Incentives
    • Employment Tax
    • Income Tax
    • Indirect Tax
    • Managed Services
    • Property Tax
    • Severance Tax & Royalty
    • Specialty Services
    • Unclaimed Property

  • Technology

    • Client Portal
    • Indirect Tax
    • Marketplace
    • Property Tax
    • Resource Center
    • Transfer Pricing
    • Unclaimed Property

  • Why Ryan

    • Advocacy
    • Client Stories
    • Our Experts
    • Our Pledges

  • Who We Are

    • Awards and Recognition
    • Careers
    • Find an Office
    • Life at Ryan
    • Our History
    • Our Leaders

Follow Us

  • Trust Center
  • Terms of Use
  • Privacy Notice
  • Site Help
  • Accessibility
  • Vulnerability Disclosure Program
  • Cookie Preferences

© 2026 Ryan, LLC

Get in Touch

Transform tax into a strategic advantage with deep expertise and innovative technology—explore our services or request a software demo.

Contact Us
Security

Security

Trust Center

Frequently Asked Questions

  • Ryan maintains SOC 2 certification verified through independent accounting and auditing firm examinations. SOC 2 measures data processing system security and determines whether effective safeguards are in place. Reports verify internal controls meet AICPA Trust Services Criteria for security. Ryan also maintains PCI DSS compliance for secure payment processing. Product-specific SOC reports and security documentation are available through Product Security Profiles.
  • Data encryption uses TLS enabled by default on internet-accessible systems. Internal policies govern data use and protection, with retention and disposal aligned with GDPR. Access is limited to authorized team members through MFA, single sign-on, and least-privilege principles. Strong password controls, session expiration, and account lockouts prevent unauthorized access. Additionally, SIEM tools provide centralized logging and monitoring. Data centers have 24x7 monitoring, cameras, visitor logs, controlled entry, and dedicated equipment cages. Deleted data is irrevocably logically and physically deleted per hosting provider protocols, ensuring database security and privacy.
  • Third parties are regularly contracted to simulate attacks through penetration testing to identify weaknesses. Ryan participates in a bug bounty program to incentivize responsible vulnerability reporting. SIEM tools continuously monitor and identify security events and anomalous behavior in real time. BitSight provides an independent cybersecurity assessment, with Ryan maintaining a 720 rating versus the 710 industry average.
  • Reports should be submitted using the Vulnerability Disclosure Program form. Include screen captures and technical details: URL where the issue occurs, login ID used, time of discovery, and source IP. Respond promptly when clarification is sought. Upon validation, issues are categorized by priority with status updates provided where feasible.
  • Ryan engages subprocessors to perform services, granting data access only as required. Written agreements impose strict data protection measures mandated by Ryan and regulations, ensuring protection levels no less stringent than those contained in our agreements. Certain vendors undergo assessments verifying proper data security and privacy practices. Service or contract changes undergo a security risk assessment to prevent additional risk.
  • Internal policies govern data use and protection. Record retention and disposal policies align with GDPR and compliance requirements. Ryanʼs technology uses built-in retention rules, and team members follow operational deletion guidelines upon service termination. Deleted data is irrevocably logically and physically deleted according to best-in-class hosting provider protocols. 
01Certifications02Legal Resources03Accessibility Standards04Attestation and Compliance05Technical and Organizational Measures06Vulnerability Disclosures07Alerts and Updates

  • Certifications

    Certified Product Security Compliance

  • Legal Resources

    View Our Legal Resources and Security Commitments

  • Accessibility Standards

    Accessibility Standards and Inclusive Design

    Ryan designs tax products and web platforms to meet Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) 2.1 standards, ensuring equal access for all users. 

    By incorporating accessibility widgets and inclusive user experience design practices, Ryanʼs tax technology accommodates diverse needs and abilities.

    Through ongoing testing, user feedback collection, and continuous improvement efforts, Ryan maintains and strengthens accessibility compliance across all platforms, making tax technology accessible to everyone regardless of physical or cognitive differences.

  • Attestation and Compliance

  • Technical and Organizational Measures

  • Vulnerability Disclosures

  • Alerts and Updates

Precision-Engineered for Privacy, Security, and Compliance

Privacy and security are embedded into our tax solutions through documented controls, governance, and ongoing oversight. Independent SOC 2 assessments validate the effectiveness of their security controls in protecting sensitive data.Our proprietary tools are continuously monitored, regularly tested through third-party security assessments, and supported by a formal Vulnerability Disclosure Program that enables responsible reporting and remediation of potential security issues. These practices align with recognized industry standards and evolve as risks and regulatory expectations change, providing sustained confidence in how your critical tax data is protected.

Resources

Insights
Resources
Events
Press Room

Corporate Responsibility

Investing in Our Shared Future: Corporate Responsibility

LEARN MORE

Integrated Technical and Organizational Safeguards

Security at Ryan goes beyond theory, with encryption, monitoring, policies, and governance operating together as an integrated protection framework. A BitSight Security Rating of 760, above the 710 industry average, independently validates Ryanʼs cybersecurity readiness.

Attestation and Compliance

We are committed to maintaining the highest standards of administrative and technical control. Service Organization Control (SOC) 2 Type II report documents demonstrate that an independent accounting and auditing firm examined an organizationʼs control objectives and activities and tested those controls to ensure that they are operating effectively.

SOC 2 is a technical auditing process conducted by an independent accounting and auditing firm to measure the security of an organizationʼs unique data processing systems. SOC 2 Type II provides a neutral determination regarding whether effective safeguards and controls are in place.

Our SOC 2 Type II reports verify the existence of internal controls that have been designed and implemented to meet the AICPA Trust Services Criteria for security. You can obtain copies of our product-specific SOC reports and other security documentation by visiting our Product Security Profiles. 

  • We perform background screening on all team members to the extent possible within local law. Team members also sign nondisclosure agreements. Additionally, all team members annually affirm their compliance with the company handbook, data privacy, and security policies.
  • Upon joining and at least annually thereafter, all Ryan team members undergo tested security training. This training covers safe handling and classification of data, compliance, security best practices, and adherence to the principle of least privilege.Regular training and testing on phishing are provided through an internal mock phishing program, which includes reinforcement training for underperformance. Upon joining and at least annually thereafter, all Ryan team members undergo tested privacy training covering topics such as personal data, personally identifiable information, and sensitive personal information as regulated by various applicable privacy laws [specifically including the General Data Protection Regulation (GDPR) and California privacy laws].Specific Ryan team members receive additional role-based training. For example, the Ryan software engineering team receives training on how to identify the latest threats and use secure coding techniques to build resilient and secure solutions, with special emphasis on privacy by design and secure software development.
  • Ryan platform security is overseen by a Cyber Security team led by a Chief Information Security Officer (CISO). The Cyber Security team maintains an Incident Response Plan (IRP) that addresses the segregation of duties, details the processes for detecting, reporting, identifying, analyzing, and responding to security incidents impacting firm infrastructure and data under our custody and control, and provides for post-event analysis to identify and capture any lessons learned.
  • In the event of a data breach, we will follow our IRP and contractual obligations to notify clients and customers of incidents impacting the infrastructure and data related to the delivery of their services and products.
  • We may engage subprocessors to perform or deliver services. In such cases, we only grant these subprocessors access to client and customer data as required to perform their services. These subprocessors are bound by written agreements that impose strict data protection measures mandated by Ryan and applicable regulations.The Ryan written agreements with subprocessors ensure that the level of data protection provided is no less stringent than the level of data protection specified in the client’s or customerʼs agreement with Ryan. Furthermore, we subject certain vendors to vendor assessments to verify the implementation of proper data security and privacy practices throughout the vendor relationship. Any changes to vendor services or existing contracts undergo a security risk assessment to ensure that they do not introduce additional or undue risk.

Product Security Profiles

Access SOC 2 reports, penetration test summaries, and security attestations for each product. If you have a confidentiality agreement with Ryan, you can view documentation immediately through your profile. New clients and customers can request access by completing a nondisclosure agreement.

Access SOC 2 reports, penetration test summaries, and security attestations for each product. If you have a confidentiality agreement with Ryan, you can view documentation immediately through your profile. New clients and customers can request access by completing a nondisclosure agreement.

  • Information Security Overview

    Explore enterprise security controls and governance.

  • Client Portal

    Manage tax workflows in a unified workspace.

  • OPT®

    Track personal property tax and depreciation.

  • Tracker® PRO

    Streamline unclaimed property compliance.

  • Transfer Pricing Documenter™

    Centralize transfer pricing documentation.

  • Transfer Pricing Operational™

    Automate intercompany transfer pricing workflows.

  • Transfer Pricing Lifecycle Management (TPLM)

    Coordinate transfer pricing policy and defense.

  • PinPoint

    Calculate U.S. and Canadian sales and use tax. 

  • FilePoint

    Prepare and file indirect tax returns at scale.

  • ControlPoint®

    Automate exemption certificate workflows.

  • RatePoint®

    Monitor sales and use tax rates with alerts.

  • VAT

    Simplify VAT and GST compliance in 60+ countries.

  • The BitSight Security Rating is an independent, data-driven assessment of cybersecurity readiness.BitSight is the most widely adopted Security Ratings solution for all industries and markets, and is trusted by 20% of Fortune 1000 companies, the Big 4 accounting firms, and numerous global insurance companies.Additional information on Security Ratings may be found at BitSightʼs website.
  • We store critical information in high-security data centers, including cloud storage providers. Data center security includes physical security measures designed to minimize disruption and prevent theft, tampering, and damage, including:
    • 24×7 monitoring
    • Cameras
    • Visitor logs
    • Entry requirements
    • Climate control
    • Fire detection and suppression systems
    • Dedicated cages to separate our equipment from other tenants in the data center
  • Our internet-accessible systems have Transport Layer Security (TLS) enabled to encrypt data traffic by default. Our web application endpoints use TLS for secure transport.
  • We maintain an internal policy governing the proper use and protection of client and customer data. We further maintain an internal Record Retention and Disposal policy developed in view of industry-standard compliance requirements such as the GDPR.Where appropriate, platforms use built-in rules to govern retention and Ryan team members follow operational guidelines for the deletion of data upon termination of services. When deleted, data is irrevocably logically and physically deleted according to the protocols of best-in-class hosting service providers.
  • We use best-in-class hosting service providers with resilient and redundant systems to enable automated failover capability. Our framework focuses on three core elements:
    • People: We maintain policies and procedures for Incident Response and train our Cyber Security team on these documents.
    • Processes: We maintain a program for business continuity to sustain certain operations during a significant business disruption.
    • Technology: We use a prioritized approach to restoring essential information technology infrastructure, hardware, and software during a business continuity event.
    We perform regular and secure backup and recovery testing of data and supporting systems. The intervals for backups depend on the type of data and underlying repositories, ranging from minutes to daily.
  • We employ a robust, multilayer defense-in-depth strategy for safeguarding against intrusions and malware. The security architecture is designed to centrally manage and monitor the protection of company assets as well as client and customer data.Furthermore, we require vendors determined to be “high risk” to complete vendor assessments to verify the implementation of proper data security and privacy practices throughout the vendor relationship. Any changes to vendor services or existing contracts undergo a security risk assessment to ensure that they do not introduce additional or undue risk.
  • We employ processes to log, monitor, and respond to events and anomalies in our systems and solutions. We use centralized nonrepudiable logging and monitoring solutions to identify and investigate possible security events and track anomalous behavior. Dedicated and centralized Security Info and Event Management (SIEM) tools allow us to proactively model risks and respond to incidents.
  • We limit access to client and customer data to authorized team members with login credentials. Security is enhanced through multifactor authentication (MFA), single sign-on, need-to-know/least-privilege principles, and restricted administrative account access.Strong password controls enforce length, complexity, and defined expiration, with limited reuse. To strengthen security, we implement session expiration, terminating inactive sessions to prevent unauthorized access. Failed login attempts result in account lockouts to thwart brute-force attacks. Regular access reviews are conducted to help ensure access privileges remain appropriate and up to date. Lastly, we promptly revoke access upon employee termination, further preventing unauthorized data access.
  • We employ a secure software development methodology that incorporates security throughout the system’s development lifecycle in connection with the development and maintenance of our information systems. Minimally, applications have controls to protect against known vulnerabilities and threats, and secure coding standards are employed that comply with industry standards such as OWASP.
  • We maintain a proactive approach to safeguarding information in our custody or control through regular and timely patching of our software and infrastructure, keeping potential vulnerabilities at bay and providing a safe and reliable platform.
  • We regularly contract with third parties to simulate attacks against many of our solutions to identify potential points of weakness or vulnerability.
  • We participate in a formal vulnerability or “bug bounty” program to incentivize responsible reporting of bugs in Ryan’s commercial applications.
  • We align our controls framework to NIST standards.

Coordinated Vulnerability Disclosure

Vulnerability Disclosure Program

We are committed to maintaining the confidentiality, integrity, and availability of the systems and information in our control. If you detect an information security issue in any of our systems while using a Ryan website or a Ryan commercial application, we strongly urge you to report it using our Vulnerability Disclosure Program form below.

We aim to rapidly address any security issues while minimizing the negative impact on our clients and customers. To achieve this, we ask that you provide the information necessary to understand the issue fully.

Upon validation of the issue, we will categorize the issueʼs priority based on our assessment. For transparency, we will strive to provide regular updates on the issueʼs status, where feasible. If we identify the issue as a false positive or an issue weʼre already aware of, we will inform you of this fact.

To help expedite the process, we ask that you please provide screen captures of the issue and respond promptly when we seek your clarification or input. Please also include any relevant technical details, such as:

  • The URL where the issue occurs

  • The ID used to log in

  • The time of day you discovered the issue

  • Your source IP

The form below is the only way to submit findings. Please do not contact us directly with findings, as these requests will be ignored.

Compliance

If you have acted in a way that may harm our clients or customers, our software products, our associates, or our vendors, we consider this a breach of our Terms of Use. Publicly disclosing an information security issue (for example, methodologies or codes) in a public forum (such as on social media, in a chat room, or with friends) is also a breach of our Terms of Use, as would be the creation of any fraudulent accounts.

Alerts and Updates

  • Ryan, LLC has received multiple requests for information pertaining to the MOVEit Transfer Software vulnerability. Ryan as an organization does not utilize the affected version of the MOVEit Transfer Software in the ordinary course of business. None of Ryan’s licensed software products utilize MOVEit Transfer Software, and Ryan’s service delivery team does not use MOVEit in ordinary practice. Regarding third-party service providers, Ryan is taking a proactive stance and is contacting third parties regarding this issue and is seeking to ensure timely remediation where necessary.
  • On Friday, December 10, 2021, we were made aware of a vulnerability in the Log4j logging framework, CVE-2021-44228. We immediately initiated our incident response process to determine our usage of this framework and its impact across our products and our infrastructure.

    For affected systems, we’re monitoring telemetry and have not detected any successful exploitation at this time. We’re applying the recommended solutions by the Apache Software Foundation and, when applicable, patching our systems with the latest version of Log4j. We continue to actively monitor the situation for any new developments. No action by users of our products is required in order to continue safely using the solution.

SaaS Agreement

Rights, responsibilities, and permitted use for software-as-a-service products.

Data Processing Agreement

Terms governing data handling and protection across platforms.

Service Level Agreement

Uptime commitments, performance standards, and support response definitions.

Subprocessors

Third-party providers support software operations and data processing.