Terms of ServiceVersion: June 2026

Beta Program Agreement

Effective Date: the date of Customer's signature below.

This Beta Program Agreement (the "Agreement") is entered into between Tax Alpha Solutions LLC ("Tax Alpha," "Company," "we," "us"), and the accounting or tax advisory firm identified on the signature page ("Customer," "Firm," "you"). It governs your access to and use of the Tax Alpha software platform (the "Service") during the Beta Program.

1. Definitions

  • "Service" means the Tax Alpha web application, including its document extraction, tax calculation, scenario planning, AI chat, and proposal generation features, together with any related documentation.
  • "Beta Program" means the pre-release evaluation period during which Company makes the Service available to a limited group of customers.
  • "Client Data" means any information you or your Authorized Users submit to the Service relating to your firm's clients, including uploaded tax returns, tax return information, planning inputs, goals, and notes.
  • "Authorized Users" means your employees and contractors whom you permit to access the Service under your account.
  • "Outputs" means any analysis, strategy suggestion, projection, calculation, proposal, chat response, or other material generated by the Service.
  • "DPA" means the Tax Alpha Data Processing Agreement attached to this Agreement as Exhibit A and incorporated into this Agreement.
  • "Tax Return Information" has the meaning given in Treasury Regulation section 301.7216-1(b)(3).

2. Beta License and Access

2.1 License. Subject to this Agreement, Company grants you a limited, non-exclusive, non-transferable, revocable license to access and use the Service during the Beta Term, solely for your internal business purpose of providing tax advisory services to your own clients.

2.2 Accounts. You are responsible for all activity under your account and your Authorized Users' accounts, and for keeping credentials confidential. You will notify Company promptly of any suspected unauthorized access.

2.3 Restrictions. You will not, and will not permit anyone to: (a) resell, sublicense, or provide the Service to any third party; (b) reverse engineer, decompile, or attempt to extract the source code, models, or prompts of the Service except where such restriction is prohibited by law; (c) use the Service to build a competing product; (d) probe, scan, or test the vulnerability of the Service without prior written authorization; (e) attempt to access data belonging to another firm; (f) upload data for individuals or entities that are not clients or prospective clients of your firm; or (g) use the Service to provide tax advice directly to consumers without professional review as described in Section 4.

3. Beta Nature of the Service

3.1 Pre-release software. The Service is a beta product. It is provided "AS IS" and "AS AVAILABLE." It may contain errors, may produce inaccurate results, and may be modified, suspended, or discontinued at any time with or without notice. Features available during the Beta Program may change or be removed in any commercial release.

3.2 No service levels. Company provides no uptime, support, or response-time commitments during the Beta Program, though we will make reasonable efforts to keep the Service available and to respond to issues you report.

3.3 Fees; price lock. The beta fee is $99 per month per firm, billed monthly in advance, beginning on the Effective Date. This $99 per month rate is locked in for twelve (12) months from the Effective Date. After that twelve-month period, Company's then-current general subscription rate will apply to your continued use of the Service, and Company will give you reasonable advance notice of that rate before it takes effect. Fees are nonrefundable except as stated in this Section. If Company terminates this Agreement for any reason other than your breach, Company will refund the prorated unused portion of prepaid fees.

4. Professional Responsibility; No Tax Advice

4.1 The Service is a tool, not an advisor. The Service performs document extraction, deterministic tax calculations, and AI-assisted analysis to support your professional work. The Service does not provide tax, legal, accounting, or investment advice, and no Output constitutes such advice.

4.2 Advisor review required. You acknowledge that Outputs, including AI-generated content, may be incomplete, outdated, or incorrect. You agree that a qualified professional at your firm will review and independently verify every Output before relying on it or communicating it, in whole or in part, to any client. You retain sole professional responsibility for all advice you give your clients.

4.3 Your client relationships. Nothing in this Agreement creates any relationship between Company and your clients. You are solely responsible for compliance with professional standards applicable to your practice, including AICPA standards, Treasury Circular 230, and state board of accountancy rules.

4.4 AI disclosure. You are responsible for determining whether and how to disclose your use of AI-assisted tools to your clients, consistent with your professional obligations and applicable law.

5. Client Data; Consents; Compliance

5.1 Your data, our processing. As between the parties, you own all Client Data. Company processes Client Data only as your service provider, as described in this Agreement and the DPA. If this Agreement and the DPA conflict regarding data protection, the DPA controls.

5.2 Authority and consents. You represent and warrant that you have all rights, authority, and consents required to submit Client Data to the Service, including, where required, written consents under Internal Revenue Code section 7216 and Treasury Regulation sections 301.7216-1 through -3 for the disclosure and use of Tax Return Information. You are solely responsible for your own section 7216 compliance, including determining whether consents are required and obtaining them in the form the law prescribes, and you will not upload a client's Tax Return Information until any required consent from that client has been obtained.

5.3 No training on Client Data. Company will not use Client Data to train or fine-tune any machine learning model. AI processing is performed through AWS Bedrock under terms that prohibit the model provider from using inputs or outputs for model training.

5.4 Safeguards. Company will maintain the administrative, technical, and physical safeguards described in the DPA. You remain responsible for your own obligations under the Gramm-Leach-Bliley Act, the FTC Safeguards Rule, and IRS Publication 4557, including maintaining your firm's Written Information Security Plan.

5.5 Redaction limitations. Before Client Data is analyzed by an AI model, the Service runs an automated redaction step designed to remove Social Security numbers, account numbers, and similar identifiers. You acknowledge that this redaction is automated and best-effort: it may not identify and remove every identifier in every document format, and occasional identifiers may reach the AI models. Data sent to the AI models remains protected by the safeguards in Section 5.3 and the DPA (United States processing, no retention by the model provider, and no use for model training) even when redaction is incomplete.

6. Beta Feedback and Participation

6.1 Ongoing feedback expected. The Beta Program is a collaborative evaluation. In exchange for beta access and beta pricing, you agree to provide regular and continued feedback about the Service throughout the duration of your use, including responding to reasonable requests from Company for your input, participating in feedback sessions, and reporting issues you encounter.

6.2 Discontinuation for non-participation. If at any point you stop communicating with Company or stop providing feedback, Company may discontinue your access to the Service, effective at the end of the then-current monthly term. Company will make reasonable efforts to reach you before doing so. Discontinuation under this Section is treated as a termination by Company other than for your breach for purposes of the fee refund provision in Section 3.3.

7. Confidentiality

7.1 Definition. "Confidential Information" means non-public information disclosed by one party to the other in connection with this Agreement that is designated confidential or that reasonably should be understood to be confidential, including Client Data, the Service's design and prompts, beta features, pricing, and the terms of this Agreement.

7.2 Obligations. The receiving party will: (a) use Confidential Information only to perform under or exercise rights granted by this Agreement; (b) protect it with at least the same care it uses for its own similar information, and no less than reasonable care; and (c) not disclose it to any third party except to employees, contractors, and advisors who need to know it and are bound by obligations at least as protective.

7.3 Exclusions. Confidential Information does not include information that: (a) is or becomes publicly available without breach; (b) was known to the receiving party without restriction before disclosure; (c) is independently developed without use of the disclosing party's Confidential Information; or (d) is rightfully received from a third party without restriction.

7.4 Compelled disclosure. A party may disclose Confidential Information to the extent required by law, provided it gives prompt notice (where legally permitted) and reasonable cooperation to seek protective treatment.

7.5 Beta confidentiality. The existence of specific beta features and your evaluation results are Company Confidential Information. You will not publish reviews, benchmarks, or screenshots of the Service without Company's prior written consent.

8. Feedback License

You may, but are not required to, provide suggestions, ideas, bug reports, or other feedback about the Service ("Feedback"). You grant Company a perpetual, irrevocable, worldwide, royalty-free license to use Feedback for any purpose without restriction or compensation. Feedback excludes Client Data.

9. Intellectual Property

9.1 Company retains all right, title, and interest in and to the Service, including all software, models, prompts, tax calculation logic, strategy content, and documentation, and all improvements to them. No rights are granted except as expressly stated in this Agreement.

9.2 As between the parties, you retain all right, title, and interest in Client Data and in the professional advice and deliverables you prepare for your clients, including deliverables that incorporate Outputs you have reviewed and adopted.

10. Term and Termination

10.1 Term. This Agreement begins on the Effective Date and continues until the earlier of: (a) the date Company announces the end of the Beta Program; or (b) termination under this Section (the "Beta Term").

10.2 Termination. Either party may terminate this Agreement at any time, for any reason or no reason, effective immediately upon written notice to the other party. Company may also suspend access immediately, without terminating, where reasonably necessary to address a security risk or a suspected violation of Section 2.3, and may discontinue access for non-participation as described in Section 6.2.

10.3 Effect of termination. On termination or expiration: (a) your license ends and you will stop using the Service; (b) on your written request made within 30 days, Company will provide an export of your Client Data in a reasonable machine-readable format; and (c) Company will delete Client Data within 60 days as described in the DPA. Sections 4, 5.2, 6, 7, 8, 9, 10.3, 11, 12, and 13 survive.

11. Disclaimers

EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE SERVICE AND ALL OUTPUTS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, AND ANY WARRANTY ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. COMPANY DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE; THAT OUTPUTS WILL BE ACCURATE, COMPLETE, OR CURRENT WITH RESPECT TO TAX LAW; OR THAT THE AUTOMATED PII REDACTION DESCRIBED IN SECTION 5.5 WILL REMOVE EVERY IDENTIFIER FROM EVERY DOCUMENT. TAX LAW CHANGES FREQUENTLY; OUTPUTS REFLECT THE TAX YEAR CONFIGURATIONS DESCRIBED IN THE SERVICE'S DOCUMENTATION AND MAY NOT REFLECT RECENT CHANGES.

12. Limitation of Liability; Indemnity

12.1 Exclusion of damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, OR LOSS OF DATA, ARISING OUT OF OR RELATED TO THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.2 Cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY.

12.3 Exceptions. The limitations in Sections 12.1 and 12.2 do not apply to: (a) a party's breach of Section 7 (Confidentiality); (b) Customer's breach of Sections 2.3 (Restrictions) or 5.2 (Authority and Consents); (c) a party's indemnification obligations under Section 12.4; or (d) liability that cannot be limited under applicable law.

12.4 Customer indemnity. You will defend and indemnify Company against third-party claims, including claims by your clients or regulators, to the extent arising from: (a) your or your Authorized Users' use of Outputs without the professional review required by Section 4.2; (b) your breach of Section 5.2, including any failure to obtain required section 7216 consents; or (c) your violation of professional standards or applicable law.

12.5 Acknowledgment. The parties agree that this Section 12 reflects a reasonable allocation of risk for a low-cost pre-release evaluation product, and that Company would not offer the Beta Program without it.

13. General

13.1 Governing law; venue. This Agreement is governed by the laws of the State of California, without regard to conflict-of-laws rules. The parties consent to exclusive jurisdiction and venue in the state and federal courts located in San Francisco County, California.

13.2 Assignment. Neither party may assign this Agreement without the other party's prior written consent, except Company may assign it in connection with a merger, acquisition, or sale of substantially all assets.

13.3 Notices. Notices must be in writing and sent to support@taxalpha.us (for Company) or the Customer email on the signature page (for Customer). Notices are deemed given one business day after email transmission with no bounce.

13.4 Independent contractors; no third-party beneficiaries. The parties are independent contractors. There are no third-party beneficiaries to this Agreement; in particular, your clients are not third-party beneficiaries.

13.5 Force majeure. Neither party is liable for delay or failure caused by events beyond its reasonable control.

13.6 Entire agreement; amendments. This Agreement, together with the DPA (Exhibit A), is the entire agreement between the parties regarding the Beta Program and supersedes all prior or contemporaneous agreements on that subject. Amendments must be in writing and signed by both parties.

13.7 Severability; waiver. If any provision is unenforceable, it will be modified to the minimum extent necessary, and the remainder will remain in effect. A waiver is effective only if in writing.

Signature Page

Tax Alpha Solutions LLC

Signature: Name: Title:
Date:

CUSTOMER (Firm)

Firm legal name:

Signature: Name: Title:

Email for notices: Date:

Exhibit A: Tax Alpha Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Tax Alpha Solutions LLC ("Tax Alpha" or "Company"), and the firm identified in the Beta Program Agreement ("Customer" or "Firm"). This DPA is attached as Exhibit A to, and incorporated into, the Beta Program Agreement between the parties (the "Agreement"). It governs Company's processing of Customer Data in connection with the Tax Alpha service (the "Service").

1. Definitions

  • "Customer Data" means all data Customer or its authorized users submit to the Service, including Client Personal Information.
  • "Client Personal Information" means information within Customer Data that identifies or relates to an identifiable individual, including Customer's clients and their dependents, and includes "nonpublic personal information" as defined under the Gramm-Leach-Bliley Act ("GLBA") and "tax return information" as defined in Treasury Regulation section 301.7216-1(b)(3).
  • "Process" / "Processing" means any operation performed on Customer Data, including collection, storage, analysis, disclosure, and deletion.
  • "Subprocessor" means a third party engaged by Company to Process Customer Data on Company's behalf.
  • "Security Incident" means a confirmed unauthorized access to, or acquisition, use, disclosure, alteration, or destruction of, Customer Data on systems managed by Company or its Subprocessors. Good-faith access by Company personnel, and unsuccessful attempts such as blocked attacks, port scans, or failed logins, are not Security Incidents.

2. Roles and scope of processing

2.1 Roles. Customer is the controller of (and, under the CCPA, the "business" with respect to) Client Personal Information; Company Processes it solely as Customer's service provider and processor. Customer is responsible for the accuracy and lawfulness of the Customer Data it submits, including obtaining any consents required by Internal Revenue Code section 7216 and applicable privacy laws.

2.2 Permitted purposes. Company will Process Customer Data only:

  • (a) to provide, maintain, secure, and support the Service;
  • (b) to improve and develop the Service, including diagnosing and fixing errors, testing, and evaluating and improving the accuracy of the Service's document extraction, redaction, and tax calculation features;
  • (c) as instructed by Customer through the Service's features;
  • (d) as required by law (in which case, where legally permitted, Company will notify Customer before disclosure); and
  • (e) as otherwise documented in the Agreement.

When Processing Customer Data for the improvement purposes in clause (b), Company will: use redacted or de-identified data wherever practicable; limit access to personnel who need it for that work; never disclose Client Personal Information to any third party (other than the Subprocessors in Annex C acting on Company's behalf); and never expose one customer's Customer Data to another customer.

Company will not: sell Customer Data; use it for advertising or marketing to any person; or disclose it except as described in this DPA.

2.3 No model training. Company will not use Customer Data to train or fine-tune any machine learning model. Company will use AI infrastructure only under terms that prohibit the infrastructure provider from retaining Customer Data beyond transient processing or using it for model training. As of the Effective Date, AI inference is performed via AWS Bedrock, whose service terms provide these protections.

2.4 De-identified data. Company may use data that has been aggregated or de-identified such that it cannot reasonably identify Customer, any client, or any individual, for purposes of operating and improving the Service. Company will not attempt to re-identify such data and will require the same of any recipient.

2.5 GLBA service-provider status. The parties acknowledge that Customer may be a "financial institution" under GLBA and the FTC Safeguards Rule (16 C.F.R. Part 314) and that Company receives Client Personal Information as Customer's service provider. Company agrees to: (a) maintain the safeguards described in Section 4 and Annex B; (b) use Client Personal Information only as described in Section 2.2, consistent with the exceptions in 16 C.F.R. sections 313.14 and 313.15; and (c) on Customer's reasonable request (no more than annually), provide written confirmation or summaries sufficient for Customer to meet its service-provider oversight obligations under 16 C.F.R. section 314.4(f).

3. Confidentiality of processing

Company will ensure that personnel authorized to Process Customer Data are bound by written confidentiality obligations, are trained on data handling, and access Customer Data only as needed for the purposes in Section 2.2. Company restricts production data access to a need-to-know basis and logs administrative access.

4. Security measures

4.1 Company will maintain administrative, technical, and physical safeguards appropriate to the sensitivity of tax return information, including no less than the measures described in Annex B. Company may update Annex B from time to time, provided the updates do not materially reduce the overall protection of Customer Data during the term.

4.2 Customer is responsible for: maintaining the confidentiality of its users' credentials; appropriately managing which personnel have access; the security of its own systems and networks; and its own regulatory programs, including its Written Information Security Plan under IRS Publication 4557 and the FTC Safeguards Rule.

5. Subprocessors

5.1 Authorization. Customer authorizes the Subprocessors listed in Annex C. Company will impose data protection obligations on each Subprocessor that are no less protective than this DPA and remains responsible for Subprocessors' performance.

5.2 Changes. Company will give Customer at least 15 days' written notice (email suffices) before adding or replacing a Subprocessor that will Process Client Personal Information. If Customer reasonably objects on data protection grounds and the parties cannot resolve the objection, Customer may terminate the Agreement and this DPA without penalty.

6. Security Incident notification

6.1 Company will use best efforts to notify Customer of a Security Incident promptly, and without undue delay, after confirming it. Notification will be sent to the Customer email designated in the Agreement and will include, to the extent known: the nature and scope of the incident, the categories and approximate volume of affected data and clients, measures taken or planned, and a Company contact.

6.2 Company will: investigate the incident; take reasonable steps to mitigate and remediate; provide timely updates as material information develops; and reasonably cooperate with Customer's own notification obligations. Customer acknowledges that it, as the tax professional, is responsible for any notifications it must make to its clients, the IRS (including IRS Stakeholder Liaison reporting for tax professionals), state tax agencies, and state regulators; Company will provide information reasonably needed for those reports.

6.3 Company's notification of a Security Incident is not an admission of fault or liability.

7. Assistance with individual rights requests

If Company receives a request from an individual (for example, a firm client) seeking access to, correction of, or deletion of their personal information, Company will not respond substantively (except to direct the individual to the Customer) and will promptly forward the request to Customer. Company will provide reasonable assistance, through the Service's features or otherwise, to help Customer respond to such requests where Customer cannot fulfill them on its own.

8. Audits and information requests

No more than once per year (or following a Security Incident), Customer may submit a reasonable written security questionnaire or request for documentation about Company's safeguards, and Company will respond within 30 days. On-site or technical audits are not provided during the Beta Program.

9. Data return and deletion

9.1 During the term. Customer can delete clients, returns, and individual records through the Service. Deleted records are removed from the production database; residual copies in encrypted backups are purged in the ordinary course of backup rotation, and in no event later than 90 days after deletion.

9.2 End of term. On termination or expiration of the Agreement: (a) on Customer's written request made within 30 days, Company will provide an export of Customer Data in a reasonable machine-readable format; and (b) Company will delete Customer Data within 60 days of termination, except to the extent retention is required by law, in which case the retained data remains protected by this DPA for as long as it is retained.

9.3 Certification. On written request, Company will confirm completion of deletion in writing.

10. Term, precedence, and miscellaneous

10.1 This DPA takes effect on the effective date of the Agreement and continues for as long as Company Processes Customer Data.

10.2 If this DPA conflicts with the Agreement regarding the protection of Customer Data, this DPA controls.

10.3 Liability under this DPA is subject to the limitations of liability in the Agreement, except as the Agreement expressly provides otherwise.

10.4 This DPA is governed by the same law and venue as the Agreement.

Annex A: Description of Processing

ItemDescription
Subject matterTax return analysis, tax planning scenario modeling, and proposal generation for Customer's clients
DurationTerm of the Agreement plus the wind-down period in Section 9
Nature and purposeDocument text extraction and OCR; PII redaction; AI-assisted analysis of redacted text; deterministic tax calculation; storage and display of results to Customer's authorized users; diagnosis and improvement of the Service per Section 2.2(b)
Categories of individualsCustomer's clients and prospective clients; their spouses and dependents; Customer's authorized users
Categories of dataTax return information (income, deductions, credits, filing status, entity ownership); identifiers appearing on tax documents (names, SSNs, EINs, addresses, dates of birth, account numbers), which are field-encrypted at rest, with identifiers such as SSNs and account numbers also redacted before AI processing; planning inputs, goals, and advisor notes; account and usage data for Customer's users
Sensitive dataSocial Security numbers and financial data inherent in tax returns; handled per Annex B

Annex B: Security Measures

  1. Access control. Single sign-on enforced via Cloudflare Access (identity-provider-backed) in production, with the application refusing to start if authentication is misconfigured; per-firm data isolation enforced in the application layer on every data route; no cross-firm data access paths.
  2. Encryption in transit. TLS for all connections between users and the Service and between the Service and Subprocessors.
  3. Encryption at rest. Database-level encryption at rest via hosting provider; additional field-level encryption (Fernet, AES-128-CBC with HMAC) for sensitive columns, including extracted tax data, notes, and client identifiers.
  4. PII redaction. Automated redaction of SSNs, EINs, emails, phone numbers, bank routing and account numbers, dates of birth, and similar identifiers before any text is sent to an AI model. Raw unredacted text is not persisted. Redaction is automated and may not catch every identifier in every document format; any residual identifiers remain protected by the encryption, access controls, United States processing, and no-training commitments described in this DPA.
  5. Document handling. Upload validation (file type and size checks), randomized storage filenames, original unredacted PDFs deleted after extraction; the copy retained for in-app preview is visually redacted, with identifiers masked, including in the hidden form-field layer of fillable PDFs.
  6. AI processing boundaries. AI inference via AWS Bedrock; no Customer Data used for model training; OCR for scanned documents via AWS Textract within Company's AWS account; all Processing within the United States.
  7. Logging and monitoring. Application audit logging of data access and modification events; rate limiting; standard security headers (HSTS, CSP, X-Frame-Options, and others).
  8. Software lifecycle. Changes are reviewed and run through an automated test suite covering security-relevant behaviors (authentication, per-firm scoping, encryption) before deployment.
  9. Personnel. Confidentiality obligations for all personnel with production access; production access restricted to a small number of named individuals during the Beta Program.
  10. Backups and recovery. Managed, encrypted database backups through the hosting provider, purged on the rotation schedule described in Section 9.1.

Annex C: Authorized Subprocessors

SubprocessorServiceLocation
Amazon Web Services, Inc.AI model inference (Bedrock), OCR for scanned documents (Textract), knowledge-base document storage (S3)United States
Railway Corp.Application and database hostingUnited States
Cloudflare, Inc.Authentication (Cloudflare Access), network securityUnited States