Version: 1.7.3

Encryption

The TaxBandits Drop-In UI uses end-to-end encryption to protect all sensitive data involved in W-9/W-8 collection. This ensures that recipient information, form configuration, and request payloads remain secure throughout the entire flow—independent of transport-level security such as TLS.

Why this matters

When using Drop-In UI, sensitive data such as TINs, names, and addresses should never be exposed to your frontend or browser environment.

TaxBandits handles encryption in a way that:

Prevents exposure of sensitive data in browser DevTools
Secures all request and response payloads
Ensures data cannot be intercepted or reused

How encryption works

TaxBandits uses a hybrid encryption model:

RSA (asymmetric encryption) → Secures key exchange
AES-256 (symmetric encryption) → Encrypts actual data payloads

This approach combines strong security with high performance.

Where encryption is applied in the Drop-In flow

Encryption is enforced across every stage of the Drop-In lifecycle:

1. Transient Token Generation

You generate a JWS and request a transient token
The token is short-lived (~15 minutes) and scoped to the allowed domains
No recipient data is included in the token

Outcome: Secure, time-bound access to the Drop-In session

2. Form Initialization (LoadFormW9)

Your application passes the transient token
TaxBandits encrypts all configuration (e.g., PayeeRef, UI options, TIN matching settings)
Returns a secure Drop-In URL for embedding

Outcome: Configuration is encrypted and never exposed in plaintext

3. Form Rendering (Iframe)

The Drop-In UI loads within a secure iframe
Decryption occurs server-side
Recipient data is captured directly by TaxBandits

Outcome: Sensitive inputs never pass through your frontend

4. Submission & Notifications

Form submission is processed securely
Status updates are delivered via webhook or messaging
Sensitive fields are masked or controlled based on your configuration

Outcome: You receive only necessary data, without exposing full PII

What is protected

Encryption covers:

Form configuration (e.g., PayeeRef, UI settings)
Recipient inputs (TIN, name, address, classification)
Embedded iframe context and session data

Sensitive values are not exposed in network requests or browser logs.

Key security characteristics

Confidentiality: Data is encrypted and unreadable without private keys
Integrity: AES-GCM ensures payloads cannot be tampered with
Ephemeral keys: New encryption keys are generated per request
Replay protection: Each request uses unique initialization vectors
Isolation from frontend: Your application never handles raw sensitive data
TLS-independent security: Data remains protected even beyond transport encryption

Implementation considerations

No additional encryption logic is required on your side
All encryption is handled automatically within the Drop-In flow
Ensure proper handling of:
- Transient token lifecycle
- Allowed domains (frame-ancestors)
- Webhook consumption for secure status updates

W-9/W-8 Automation

1099 Automation

TIN Matching

W-2 Automation

941/940 Automation

1098-T Automation

ACA Automation

Extension Automation

1042-S Automation

Supported Forms

Gig Software

Payroll Software

Affiliate Software

HOA Software

Reselling Platform

HCM Providers

Property Management

Healthcare Market Research Platforms

Encryption

Why this matters​

How encryption works​

Where encryption is applied in the Drop-In flow​

1. Transient Token Generation​

2. Form Initialization (LoadFormW9)​

3. Form Rendering (Iframe)​

4. Submission & Notifications​

What is protected​

Key security characteristics​

Implementation considerations​