Your firm just demoed a cloud-based tax preparation platform. The interface is clean, the workflow is faster, and your staff liked it. Then someone asks: “Where exactly does our client data go?” Nobody in the room knows the answer.

The Problem: Moving to the Cloud Faster Than You’re Vetting It

Cloud accounting and tax platforms have improved dramatically. Firms that once resisted the shift are now migrating quickly, driven by remote work demands, vendor sunsetting of desktop products, and genuine efficiency gains.

The problem is not the technology. The problem is the process firms use to evaluate that technology before signing a contract.

Most vendor evaluations focus on features, pricing, and integration. Security questions, when they come up at all, usually stop at “Do you have SOC 2?” A vendor says yes, the firm moves on, and nobody looks at the actual report.

That gap matters because CPA firms are not ordinary cloud customers. You hold federal tax identification numbers, business financial records, Social Security numbers, bank account data, and health-related information for businesses and individuals. You are subject to the Gramm-Leach-Bliley Act (GLBA), the IRS Safeguards Rule under Internal Revenue Code Section 7216, and a growing list of state-level data protection laws. When a vendor mishandles your client data, you are the one who owns the notification obligation, the regulatory inquiry, and the client relationship damage.

The vendor evaluation process needs to catch up to the data protection obligations your firm already carries. This guide gives you a framework to do exactly that.

Why This Matters for CPA Firms

The IRS Safeguards Rule, updated in the Federal Trade Commission’s revised GLBA Safeguards Rule effective June 2023, now requires tax preparers and accounting firms to implement a formal written information security plan (WISP). A core component of that plan is vendor oversight. You are required to assess the security practices of service providers who handle client financial data on your behalf.

IRS Publication 4557 (“Safeguarding Taxpayer Data”) goes further by providing explicit guidance on what that oversight should include, specifically requiring that firms review contracts with third-party service providers to ensure appropriate data protections are in place.

At the state level, California’s Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), impose contractual requirements on how vendors may use personal data your firm shares with them. If your firm is headquartered in Los Gatos, San Jose, or anywhere in California, those obligations apply to you right now.

The financial exposure is real. GLBA enforcement actions carry penalties up to $100,000 per violation for the financial institution, plus individual liability for officers. State breach notification violations carry separate penalties. And beyond regulatory fines, the reputational cost of telling a business owner that their company’s financial records were exposed by a vendor you chose is a different kind of loss that does not appear on any fine schedule.

How to Evaluate a Cloud Accounting Vendor on Security

The following framework walks through the five areas your firm should assess before signing any cloud platform contract.

1. Go Beyond “Do You Have SOC 2?”

A SOC 2 Type II report is a starting point. It tells you that an independent auditor examined the vendor’s controls over a defined period, typically six to twelve months. What matters is what the auditor actually examined.

Ask the vendor: Which Trust Service Criteria (TSC) were in scope? The five criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Many vendors only cover Security and Availability. If you are storing sensitive client data, Confidentiality and Privacy should be in scope.

Then ask: What exceptions did the auditor note? A clean opinion with no exceptions is very different from an opinion with noted deficiencies. Request the management response to any exceptions. A vendor that cannot share the full report (not just a summary) is a vendor worth being cautious about.

Also ask when the report was last completed. A SOC 2 Type II report that is more than 12 months old is stale.

2. Ask About Subprocessors

Most cloud platforms share your data with third-party vendors, hosting providers, analytics tools, customer support platforms, or payment processors. These are called subprocessors. Ask the vendor for a complete list of subprocessors who may handle your client data.

Ask whether those subprocessors are contractually bound to the same security standards as the primary vendor. Ask whether you will be notified if the vendor adds a new subprocessor after you sign.

This is not an unusual request. Any vendor with mature data governance practices will have this information ready.

3. Pin Down Data Residency and Deletion

Ask the vendor: Where, physically, does our client data reside? For California-based firms, there may be legal implications to data stored in certain jurisdictions outside the United States.

Ask what happens to your data when the contract ends. Specifically: How long does the vendor retain your data after termination? Can you export all data in a portable format? Does the vendor certify deletion, and will they provide written confirmation?

Firms that skip this question often discover at contract renewal time that they cannot leave a platform without losing years of client records, or that their data continues to sit on a vendor’s servers for months after cancellation.

4. Review Breach Notification Language in the Contract

This is where vendor security evaluation intersects directly with your regulatory obligations.

IRS Publication 4557 and state breach notification laws, including California’s data breach notification statute under Civil Code Section 1798.82, require firms to notify affected individuals within specific timeframes after discovering a breach. In California, that window is “in the most expedient time possible” and generally interpreted as 72 hours for regulated entities.

If your vendor does not discover and report a breach to you for 30 days, your ability to meet that obligation evaporates. Your contract with the vendor should specify a maximum notification timeline, typically no more than 72 hours after the vendor becomes aware of a confirmed breach. If the vendor’s standard agreement does not include this language, ask for an amendment. If they refuse, that refusal tells you something important.

5. Build a One-Page Vendor Security Checklist

Standardize this evaluation with a simple checklist your firm uses for every vendor that touches client data. Include fields for SOC 2 report date and scope, subprocessor disclosure, data residency confirmation, deletion/export terms, and breach notification SLA (service level agreement). A completed checklist for each vendor serves dual purpose: it tightens your vendor selection process and it becomes documentation you can produce during a regulatory inquiry or client audit.

What to Look for in an IT Partner

If your firm works with a managed IT services provider, that partner should be doing more than keeping your computers running. Ask them specifically:

  • Do you assist with vendor security reviews before we sign contracts with new software platforms?
  • Can you read and summarize a SOC 2 report and flag material gaps?
  • Do you maintain a vendor inventory that maps each tool to the data it accesses?
  • Can you help us document our vendor oversight process as part of our WISP?

A qualified IT partner for a CPA firm should understand GLBA, the FTC Safeguards Rule, and IRS Publication 4557, not as background noise, but as active compliance requirements that shape how your technology stack is managed. If your current provider cannot answer those questions, that gap in their knowledge is also a gap in your firm’s security posture.

The Bottom Line

Cloud accounting platforms can make your firm faster and more competitive. But signing a contract before vetting a vendor’s security practices creates regulatory and reputational risk your firm should not carry. Ask for the full SOC 2 report. Get the subprocessor list. Nail down the breach notification language. Build a checklist and use it every time. The firms that do this consistently are the ones that avoid the painful conversation with a client that starts with, “We need to tell you something.”

Frequently Asked Questions

What questions should a CPA firm ask a cloud software vendor about security?

Start by requesting the vendor’s SOC 2 Type II report and reviewing which Trust Service Criteria were in scope, along with any auditor exceptions. Then ask for a subprocessor list, confirm where your client data is physically stored, and review the contract for breach notification timelines and data deletion terms after contract end. These four areas map directly to the vendor oversight requirements in the FTC Safeguards Rule and IRS Publication 4557.

Is a SOC 2 report enough to confirm a cloud vendor is secure?

No. A SOC 2 report confirms that an auditor examined specific controls during a specific window of time. It does not guarantee current security, and it only covers the Trust Service Criteria the vendor chose to include. A report focused only on availability and uptime, for example, may tell you nothing about how the vendor protects the confidentiality of your client data. Always read the full report, not just the vendor’s summary or badge.

What happens to my CPA firm’s client data when we cancel a cloud accounting subscription?

This depends entirely on the vendor’s contract terms, which is why you need to review them before signing. Some vendors delete data within 30 days of contract termination; others retain it for months or longer. You should confirm that you can export all data in a usable format, that the vendor will certify in writing that deletion has occurred, and that the retention period after termination aligns with your own record retention policies and your clients’ expectations.

Does the IRS require CPA firms to vet their software vendors for security?

Yes. The FTC Safeguards Rule, which applies to tax preparers under GLBA, requires firms to oversee service providers that handle client financial data. IRS Publication 4557 provides practical guidance on this requirement, including reviewing contracts to ensure appropriate data protections are in place. Firms that do not document vendor oversight as part of their written information security plan (WISP) may face compliance gaps during an IRS examination or state regulatory inquiry.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s cloud vendor security posture.