KeptPDF
Open App
For tax preparers, CPAs & bookkeepers

Tax-prep PDF tools that satisfy IRS Pub 4557.

Client data stays on your machine. Where the IRS expects it to be.

Try KeptPDF free Drop into your WISP

The two rules behind every preparer audit.

The IRS and the FTC both require a written, current, vendor-aware security plan.

IRS Publication 4557 & FTC Safeguards Rule (16 CFR Part 314)

A tax preparer must develop, implement, and maintain a Written Information Security Program (WISP) that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the firm and the sensitivity of the information.

The post-2023 FTC Safeguards Rule strengthened the WISP requirement, mandating a named Qualified Individual, encryption at rest and in transit, and an inventory of all data flows including third-party vendors. Cloud-uploading PDFs of client returns expands that inventory — every vendor you add is one more entry to document, audit, and notify around.

The penalty stack on a single leaked return.

IRS preparer penalties

Disclosure or use of taxpayer info without consent triggers IRC §6713 (civil) and §7216 (criminal). Up to $1,000 per occurrence or one year imprisonment.

FTC fines

Post-2023 Safeguards Rule strengthening expanded enforcement. Violations can compound: civil penalties plus mandatory third-party assessments for years afterward.

State CPA board sanctions

State boards of accountancy issue independent sanctions including license suspension. Many states require breach reporting separate from IRS.

Built for tax season.

PII / SSN / EIN redaction

Sanitize work papers before sharing with partner firms or seasonal staff. Pattern-aware redaction catches SSNs, EINs, bank account numbers, and routing numbers.

Bank statement parser Q4 2026

PDF to Excel for Chase, BofA, Wells, Stripe receipts and the major card processors. All parsing on-device.

Metadata scrub

Remove embedded "Last saved by" stamps from prior preparer software, hidden author names, and Adobe revision history.

No upload = simpler WISP

Your data-flow inventory doesn't grow when you process PDFs locally. One fewer vendor row, one fewer breach vector, one fewer audit finding.

Drop-in for your WISP.

A pre-written one-page statement you can paste into your firm's existing Written Information Security Program.

The FTC Safeguards Rule and IRS Pub 4557 both want to see, in writing, exactly how each vendor in your stack handles client data. KeptPDF's entry is short: "KeptPDF processes PDFs entirely within the preparer's browser. No PHI, PII, or return data is transmitted to or stored on KeptPDF servers. No BAA or data processing agreement is required because KeptPDF does not receive client data."

We provide a one-page vendor statement (PDF) you can attach to your WISP at renewal. It documents our architecture, lists the JavaScript libraries we load, and references the third-party security review (scheduled Q3 2026).

Pricing.

Premium

$19/mo
  • For solo preparers
  • Every PDF tool, unlimited
  • PII / SSN redaction
  • Files up to 500 MB
Start 14-day trial
For small firms

Business

$29/seat/mo
  • Everything in Premium
  • Batch processing
  • WISP vendor statement
  • Priority support
  • Bank statement parser when shipped
Start 14-day trial

See what does — and doesn't — leave your browser.

Verify it yourself