SAX permits exceptions for the use of third-party platforms only in limited circumstances where the external platform is required by a government agency, regulatory body, court, taxing authority, state or municipal agency, or an approved business-to-business audit or examination process.
Exceptions are intended only for situations where SAX does not control the required platform and cannot reasonably use HubSync, Suralink, OneDrive, SharePoint, or another approved SAX system as an alternative.
Client preference, convenience, familiarity with another platform, or unwillingness to use an approved SAX portal is not a valid basis for an exception. Requests based on statements such as “the client prefers Box,” “the client does not like our portal,” or “this is faster for the client” will not be approved.
Approval of an exception does not designate the third-party platform as an approved SAX storage, collaboration, or file transfer solution. Each approval is limited to the specific requester, external organization, business purpose, data type, and access period identified in the request.
SAX and client data must continue to be exchanged, stored, and managed through approved SAX platforms unless a formal exception has been submitted, reviewed, and approved. Users may not use third-party platforms for general file storage, client convenience, personal accounts, or ad hoc document exchange.
Third-party file transfer and cloud storage services โ including Google Drive, Dropbox, Box, JungleDisk, and similar platforms โ are not approved for use on SAX equipment or for the exchange, storage, or collaboration of SAX or client data. All data exchange must occur through SAX-approved platforms: HubSync or Suralink for documents containing PII or sensitive client data; OneDrive or SharePoint for all other business data; and GFR, Axcess, or CaseWare for tax and audit workflows. Client preference, convenience, or unfamiliarity with SAX portals is not a valid reason to use a third-party platform โ and requests made on that basis will not be approved.
Tools used to connect into client environments or allow connections to SAX equipment are strictly forbidden. Examples include: Splashtop, ScreenConnect, LogMeIn, GoToMyPC, VNC, TeamViewer, Citrix, and similar remote access software.
Third-party file transfer and cloud storage services โ including Google Drive, Dropbox, Box, JungleDisk, and similar platforms โ are not approved for use on SAX equipment or for the exchange, storage, or collaboration of SAX or client data. All data exchange must occur through SAX-approved platforms: HubSync or Suralink for documents containing PII or sensitive client data; OneDrive or SharePoint for all other business data; and GFR, Axcess, or CaseWare for tax and audit workflows. Client preference, convenience, or unfamiliarity with SAX portals is not a valid reason to use a third-party platform โ and requests made on that basis will not be approved.
Tools used to connect into client environments or allow connections to SAX equipment are strictly forbidden. Examples include: Splashtop, ScreenConnect, LogMeIn, GoToMyPC, VNC, TeamViewer, Citrix, and similar remote access software.
Third-party file transfer and cloud storage services โ including Google Drive, Dropbox, Box, JungleDisk, and similar platforms โ are not approved for use on SAX equipment or for the exchange, storage, or collaboration of SAX or client data. All data exchange must occur through SAX-approved platforms: HubSync or Suralink for documents containing PII or sensitive client data; OneDrive or SharePoint for all other business data; and GFR, Axcess, or CaseWare for tax and audit workflows. Client preference, convenience, or unfamiliarity with SAX portals is not a valid reason to use a third-party platform โ and requests made on that basis will not be approved.
Tools used to connect into client environments or allow connections to SAX equipment are strictly forbidden. Examples include: Splashtop, ScreenConnect, LogMeIn, GoToMyPC, VNC, TeamViewer, Citrix, and similar remote access software.
โข SAML 2.0 โ The most common enterprise SSO standard. Uses XML-based tokens to securely pass your identity between systems.
โข OAuth 2.0 โ An authorization framework that lets the app access resources on your behalf without sharing your password.
โข OpenID Connect (OIDC) โ Built on top of OAuth 2.0, adds identity verification. Very common with modern cloud apps.
โข Other โ Some vendors use proprietary or legacy protocols. If so, please specify below.
โข Native MFA โ The application has its own built-in MFA (e.g., its own authenticator app or SMS codes).
โข Through SSO โ The application relies on Microsoftโs MFA when you sign in via SSO (this is preferred since SAX already enforces MFA through Microsoft).
โข GLBA (Gramm-Leach-Bliley Act) โ Federal law requiring financial institutions to protect the privacy and security of client financial information. This applies to most of what SAX does.
โข GDPR (General Data Protection Regulation) โ EU regulation for protecting personal data of EU citizens. Applies if the software handles any data from EU-based clients.
โข SEC / FINRA โ Securities and Exchange Commission and Financial Industry Regulatory Authority rules for recordkeeping, supervision, and data protection in wealth management.
โข SOX (Sarbanes-Oxley) โ Federal law governing financial recordkeeping and reporting. Relevant if the software handles accounting or financial reporting data.
โข IRS Publication 4557 โ IRS guidelines for safeguarding taxpayer data. Critical for any software handling tax return information.
BAA = Business Associate Agreement โ required by HIPAA when a vendor handles Protected Health Information (PHI). If this software touches any health-related data, a BAA is legally required.
The vendor must provide these documents โ ask their sales or legal team.
Documents Provided (check all attached)
๐ Upload Documents
Click or drag files here to upload
PDF, DOCX, XLSX โ Max 25MB per file
Requestor Acknowledgment
SAX permits exceptions for the use of third-party platforms only in limited circumstances where the external platform is required by a government agency, regulatory body, court, taxing authority, state or municipal agency, or an approved business-to-business audit or examination process.
Exceptions are intended only for situations where SAX does not control the required platform and cannot reasonably use HubSync, Suralink, OneDrive, SharePoint, or another approved SAX system as an alternative.
Client preference, convenience, familiarity with another platform, or unwillingness to use an approved SAX portal is not a valid basis for an exception. Requests based on statements such as “the client prefers Box,” “the client does not like our portal,” or “this is faster for the client” will not be approved. Exception approval is based on an external requirement, not user or client preference.
Approval of an exception does not designate the third-party platform as an approved SAX storage, collaboration, or file transfer solution. Each approval is limited to the specific requester, external organization, business purpose, data type, and access period identified in the request.
SAX and client data must continue to be exchanged, stored, and managed through approved SAX platforms unless a formal exception has been submitted, reviewed, and approved. Users may not use third-party platforms for general file storage, client convenience, personal accounts, or ad hoc document exchange.
Where PII, tax documents, audit evidence, or sensitive client information is involved, users must use the appropriate approved SAX system โ including HubSync, Suralink, SharePoint, OneDrive, GFR, Axcess, or CaseWare โ unless an approved exception applies.
Click or drag files here to upload
PDF, DOCX, XLSX โ Max 25MB per file
