How exposed is your firm?

Answer a few questions to see your FTC and IRS compliance obligations, state breach notification deadlines, and what documentation you need.

Free compliance calculator

What you do not know
about your compliance obligations.

Answer 4 simple questions about your firm. No compliance knowledge needed, and we will show you the specific obligations you may not know about.

No signup required . Instant results . No data stored

Important compliance notice

Think you are too small?
Think again.

FTC and IRS requirements apply to all tax preparers who handle client data, regardless of firm size or client count.

Myth

"I only have 200 clients, so the FTC Safeguards Rule does not apply to me."

Fact

The 5,000-record threshold applies to only a few specific requirements. Core compliance applies to all firms.

Requirement

Small
<5K

Large
5K+

Covered by Kompflow

Written Incident Response Plan (IRP)

FTC 16 CFR 314.4(h)

Annual IRP Review and Updates

FTC 16 CFR 314.4(h)

Written Information Security Policy (WISP)

FTC 16 CFR 314.4 and IRS Pub 4557

Annual Risk Assessment

FTC 16 CFR 314.4(b)

Employee Security Training

FTC 16 CFR 314.4(d)

Service Provider Oversight (Vendor Management)

FTC 16 CFR 314.4(g) and IRS Pub 4557

Secure Data Disposal Procedures

FTC 16 CFR 314.4(e)

Technical and operational controls

Multi-Factor Authentication (MFA)

FTC 16 CFR 314.4(c)

Access Controls and Least Privilege

FTC 16 CFR 314.4(c)(4)

Annual Penetration Testing

FTC 16 CFR 314.4(f)

Qualified Individual (QI)

FTC 16 CFR 314.4(a)

*1

Risk Assessment: While a written risk assessment is not required for firms with under 5,000 records, conducting one is highly recommended. Without a risk assessment, your firm will not identify compliance gaps or understand areas requiring attention.

*2

Qualified Individual: All firms, regardless of size, must designate a Qualified Individual to oversee their information security program (FTC 16 CFR 314.4(a)). This can be the firm owner, an office manager, or any designated person, and a vCISO or formal CISO title is not required. However, for larger firms or those seeking expert guidance, engaging a vCISO is recommended to help manage compliance complexity and ensure proper governance.

Free assessment

Could your firm survive a data breach?

Walk through a realistic breach scenario and see your firm's readiness score, state-specific obligations, and FTC exposure in 3 minutes.

Take the Breach Readiness Quiz

No signup required . Instant results . 3 minutes

Your firm size does not exempt you from core compliance.

Kompflow helps firms of all sizes meet these requirements, from solo practitioners to multi-partner firms.

Get startedSee how it works

Kompflow WISP $499 first year . Starter $249/mo . Professional $499/mo

Ready when you are

Pick where to start.

Buy the WISP yourself if you need the document.
Talk to us if you want the platform.

Get your WISP for $499Learn how Starter and Professional work
30-day money-back on Kompflow WISPCancel anytimeNo setup fees on any tier

We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy