VPN for tax preparers: IRS WISP and where VPN fits

The IRS requires every paid tax preparer to maintain a Written Information Security Plan (WISP). The requirement comes from the Gramm-Leach-Bliley Act's Safeguards Rule (15 U.S.C. § 6801) as enforced by the FTC, plus IRS Publication 4557 and Form W-12 (PTIN application). The IRS started actively checking for WISP compliance during EFIN reviews around 2022; non-compliance can produce IRS sanctions and a real liability exposure if a data breach happens.

VPN use is a listed safeguard in IRS Publication 4557 and the IRS's WISP template. Most tax preparers reading this already know they need a WISP; the question is what their VPN actually has to do for compliance to be defensible.

This is not legal or tax advice. We are a VPN company writing about how our product fits into a posture you should validate with a compliance professional.

What the WISP actually requires

A WISP must address the security of taxpayer data across the practice. The IRS template (in Publication 4557 and on irs.gov) lists categories that must be covered:

• Designated Information Security Coordinator. A named person responsible for the plan.
• Risk assessment. Identifying foreseeable internal and external risks.
• Customer information at rest. How data is stored on physical and electronic media.
• Customer information in transit. How data moves between you, clients, the IRS, software vendors. This is where VPN appears.
• Access controls. Who can access what data, how authentication is implemented.
• Service providers. Third parties (cloud, software, contractors) who touch the data.
• Detection of attacks. Monitoring for unauthorised access.
• Incident response. What happens when something goes wrong.
• Annual review and update.

The IRS calls out VPN specifically in Publication 4557:

"Use a Virtual Private Network (VPN) to securely conduct business from any location, particularly when working remotely."

That is one sentence in a multi-page document. VPN is one safeguard among many. The WISP audit checklist treats it as expected, not optional.

Where a VPN fits in the WISP

Concretely, a VPN addresses three categories from the WISP template:

1. Information in transit, public network. Tax preparers working from home networks, coffee shops, hotel rooms, conference Wi-Fi, or client locations move taxpayer data over networks the preparer does not control. A VPN encrypts this transit. WISP defensibility for non-private-network work generally requires a VPN.

2. Remote access to firm systems. A preparer accessing the firm's tax software, document management, or shared drive from outside the office uses a remote-access path. A VPN tunnels that path. Most tax software (UltraTax, ProSeries, Lacerte, Drake) recommends VPN for remote access in their own security guidance.

3. IRS e-file connections. When transmitting returns to the IRS through your tax software's e-file pipeline, the data moves over the public internet. The IRS's own infrastructure is TLS-encrypted, but the path from your network to the public internet is your responsibility. A VPN adds another encryption layer over the IRS's TLS layer.

What a VPN does not cover

A WISP-compliant posture needs more than just a VPN:

Document storage encryption. Tax data stored on your laptop, in the cloud, or on a NAS needs encryption at rest. A VPN does not provide this.

Authentication. Strong unique passwords. Multi-factor authentication on tax software, email, document management. The IRS specifically requires MFA on tax software accounts; most major tax-prep platforms now enforce it.

Endpoint security. Current OS. Current antivirus. Conservative software install policy. Tax preparers are a high-value target for tax fraud; endpoint compromise is the main attack vector.

Email security. End-to-end encrypted email (or a secure document portal) for transmitting client documents. A regular email is encrypted in transit between mail servers but is not end-to-end encrypted.

Physical security. Locked offices, locked devices, screen privacy.

Service provider compliance. Your cloud document storage's compliance posture. Your tax software vendor's compliance posture. The IRS requires you to verify that service providers meet equivalent standards.

Incident response and breach notification. What you do when something goes wrong. State laws differ on what constitutes a breach and when notification is required.

Annual training. The Safeguards Rule requires staff training. Documentation of training matters during an IRS review.

A WISP that says "we use a VPN" and treats the VPN as the whole compliance posture is not defensible. A WISP that documents VPN use as one of multiple layered safeguards, with all the categories above addressed, is defensible.

Tax season seasonality

The relevant compliance moment for most tax preparers is January through April. During those months, the data-handling volume is high, the time pressure is high, and the temptation to cut corners is highest. A WISP audit during EFIN review is most likely to land in this window.

Practical implications:

• Have the VPN already installed and tested before tax season starts. Setting up a new VPN in March, while running 80-hour weeks of returns, is the wrong time.
• Document the VPN's role in your WISP. Vendor name, what it provides, when it is required to be active.
• If you have remote staff or contractors, make sure their VPN setup is consistent. Inconsistent staff configurations are an audit finding.
• Test the kill switch. A VPN that drops mid-session and lets traffic exit unencrypted defeats the compliance safeguard. Fexyn's kill switch (Windows Filtering Platform-based, blocks at the kernel level) is meaningful here because it prevents unencrypted traffic from leaving your machine when the VPN drops.

Where Fexyn fits, honestly

Fexyn provides the encryption-in-transit safeguard. That covers one specific WISP category. We are appropriate for:

• Solo tax preparers and small firms (under ~5 preparers) handling their own setup
• Tax preparers who travel during the off-season or work from non-firm locations
• Practices where the VPN is one safeguard in a layered posture, not the whole posture

Where Fexyn does not pretend to cover the whole WISP:

• We do not provide tax software
• We do not provide document storage with audit trail
• We do not provide MFA infrastructure for your tax software
• We do not provide endpoint security
• We do not provide a centralised business-tier with compliance reporting; for firms wanting that level of administrative control, NordLayer or Perimeter81 are better fits

Pricing detail relevant to tax preparers: we offer crypto-only billing as an option (some tax preparers prefer to keep recurring software costs off their primary business card), card billing as the default, and Tier 1 pricing for US users at $9.99/month. The 7-day free trial does not require a card.

The W-12 question

Form W-12 (Application for Preparer Tax Identification Number renewal) asks whether the preparer has a WISP. The honest answer matters. Misstatement on the W-12 is its own problem distinct from any data-breach problem.

Having a WISP that documents your safeguards (including VPN) is the path that lets you answer truthfully. A WISP can be a 4-page document for a solo preparer or a 40-page document for a multi-office firm. The IRS template in Publication 4557 is a reasonable starting point.

Frequently asked

Is a VPN required by the IRS?

Not literally. The IRS Safeguards Rule and Publication 4557 require "reasonable" safeguards proportional to your data volume and risk. VPN is explicitly recommended for remote and non-private-network work. Whether your specific situation requires a VPN is a determination you make, but for almost any preparer who works from anywhere other than a single secured office network, the answer is yes.

Is a free VPN okay for tax compliance?

We do not recommend it. Free VPNs have a long history of data-collection issues. The compliance posture you are trying to maintain is "encryption in transit with a trustworthy provider"; a free VPN that monetises user data does not satisfy the second part. Reputable paid VPNs (Fexyn, ProtonVPN, NordVPN, Mullvad, IVPN) are appropriate.

Do I need a separate VPN for each preparer in my firm?

Each device that handles taxpayer data should run a VPN when on a non-private network. Most VPN providers (including Fexyn) sell per-account subscriptions that allow multiple device installations. For a small firm, one subscription per preparer (covering their work laptop and phone) is standard.

What about cloud-based tax software (TaxAct, TurboTax for professionals, online versions)?

Cloud tax software runs in the vendor's data centre. Your connection to it is over the public internet. The vendor's compliance posture covers their side; your VPN covers your side of the connection. Both layers are needed.

Will the VPN slow down e-filing?

A bit. Tax software's e-file submissions are small data transfers; the VPN's overhead is negligible for these. Long-running document transfers from cloud storage will be slightly slower with VPN active, but not noticeably.

What if I forget to turn the VPN on during a remote session?

A WISP audit will not catch a single instance of forgotten VPN. A pattern of the VPN not running might. Use auto-connect features (Fexyn supports "always-on" VPN per device). Document the policy in the WISP. Train staff on it.

---

Try Fexyn free for 7 days — Tier 1 pricing for US users, $9.99/month. The How to choose a VPN guide covers the broader buying decision; Kill switch explained covers the kernel-level kill switch that matters for compliance.

Last reviewed 2026-05-09. Not legal or tax advice; validate with your compliance reviewer.