Tell me about the business, the owner, and the plan — I'll show you how to maximize tax savings.
Fill in the sidebar or launch from Design(k) to auto-populate. I'll analyze contribution limits, deduction strategies, SECURE 2.0 implications, and optimization opportunities specific to your entity type.
💰 TAX ANALYSIS
Deductions, credits, entity-specific strategies with IRC citations
🔒 SECURE 2.0
All 92 provisions — Roth catch-up, auto-enroll, super catch-up
🔗 (k) SUITE
Pull data from Census(k), Design(k), Intent(k), Eligibility(k)
Ask a question or select an analysis focus to see computed results, IRC citations, and contribution limit tables.
§415(c) Annual Addition
$70,000
DC plan total (EE + ER + forfeitures)
§402(g) Elective Deferral
$23,500
Employee 401(k) / 403(b) limit
§414(v) Catch-Up (50+)
$7,500
Standard age 50+ catch-up
SECURE 2.0 Super Catch-Up (60-63)
$11,250
Ages 60-63: greater of $10,000 or 150% of std
§401(a)(17) Comp Limit
$350,000
Maximum recognizable compensation
§416 Key Employee
$230,000
Officer comp threshold for top-heavy
HCE Threshold
$160,000
Prior year comp for HCE status
§408(p) SIMPLE Deferral
$16,500
SIMPLE IRA employee limit
§408(k) SEP Comp %
25%
Max deductible ER contribution %
DB §415(b) Benefit
$280,000
Maximum annual DB benefit at NRA
📚
IRC Citations
Citations from the conversation will appear here with links to the relevant IRC sections.
🔗
Linked Sister App Data
Enter a shared Plan ID and click "Pull Sister App Data" to load Census(k), Design(k), Intent(k), and Eligibility(k) data.
Security & Trust Center
CPA(k) · Data Protection & AI Transparency
All Systems SecureLast verified: Real-time
🔒 API-First Architecture
Sidebar data stays in your browser. Only your question text and plan context are sent via TLS 1.3 to a Cloudflare Worker, which injects the API key server-side and forwards to Anthropic. No data is stored, trained on, or shared. Responses render in your browser and are discarded when you close the tab.
📊 How CPA(k) Processes Your Data
📝
Sidebar Fields
→
🌐
Browser JS
→
🔒
TLS 1.3 Encrypted
→
⚡
Cloudflare Worker
→
🤖
Claude API
→
📄
Analysis Rendered
→
🗑️
Auto Delete
Core Security Features
🚫
Zero Training
Your data is never used to train AI models. Anthropic's API terms guarantee this.
🔐
TLS 1.3 Encryption
All data in transit is encrypted with TLS 1.3. API keys are injected server-side — never exposed to the browser.
🗑️
Zero Data Retention
Anthropic does not store API inputs or outputs. Cloudflare Workers are stateless — no database, no logs.
👁️🗨️
No Human Review
API requests are processed automatically. No Anthropic employee sees your data unless required by law.
Compliance Certifications
SOC 2Type II
ISO 27001Certified
HIPAAEligible
GDPRCompliant
CCPACompliant
Consumer vs Enterprise AI
Feature
Consumer (ChatGPT, etc.)
Enterprise API (CPA(k))
Data Training
May train on inputs
Never — contractually prohibited
Data Retention
Stored 30+ days
Zero — not stored at all
Human Review
May be reviewed
No human review of API data
Access Controls
Shared infrastructure
Isolated API, dedicated key
Compliance
Consumer ToS
SOC 2 Type II, ISO 27001
AI Provider
A
Anthropic — Claude Sonnet 4
claude-sonnet-4-20250514 · API
SOC 2 Type II certified, ISO 27001 compliant
Zero data retention on all API calls
Data never used for model training
No human review of API inputs/outputs
Used for conversational tax analysis — all IRC/ERISA knowledge is delivered via system prompt, not fine-tuning
💡 How CPA(k) Uses AI
CPA(k) sends your plan context (entity type, compensation, plan type) and your question to Claude via the Anthropic API. The system prompt contains the full IRC §401–§4980 and SECURE 2.0 knowledge framework. The AI's response is rendered in your browser using marked.js. No census data, SSNs, employee names, or account balances are transmitted unless you type them directly.
Secure Processing Pipeline
1
Browser (Client) Sidebar fields, chat input, Design(k) linked data — all processed locally in JavaScript
2
TLS 1.3 Encrypted Transit HTTPS request with question text + plan context only
3
Cloudflare Worker Stateless proxy at cpak-ai.tony-e07.workers.dev — injects API key, forwards to Anthropic, returns response. No logging, no storage.
4
Anthropic API Processes the request under enterprise terms — zero retention, zero training. Response streamed back.
5
Browser Rendering Response parsed by marked.js and displayed in the analysis modal. All data is in browser memory only.
✕
Auto-Delete Close the tab → all data is gone. No server-side persistence, no cookies, no localStorage.
What Data Is Sent to the AI
✓ Sent (Plan Metadata)
Entity type, compensation ranges, owner age, plan type, contribution structure, compliance status, analysis questions — general plan parameters only.
✕ Never Sent Automatically
Social Security numbers, employee names, account balances, bank information, tax returns, personal addresses, or any PII — unless you manually type it into the chat.
⚠️ Design(k) Integration: If launched from Design(k), engine results (contribution amounts, compliance test results, ABPT) are passed to CPA(k) via postMessage. This data transfers directly between browser tabs — it never touches a server. It's held in JavaScript memory and discarded when you close the page.
Regulatory Framework
⚖️
ERISA §404(a)
CPA(k) provides AI-assisted tax analysis grounded in IRC §401–§4980 and SECURE 2.0 to support fiduciary decision-making. It does not replace professional tax or legal advice.
📋
DOL Fiduciary Rule
Analysis is informational only. CPA(k) is a technology tool, not an investment advisor or fiduciary. All outputs include appropriate disclaimers.
🔒
DOL Cybersecurity Guidance
Follows DOL's "Tips for Hiring a Service Provider" cybersecurity framework: encrypted transit, access controls, incident response, and third-party due diligence.
🌍
GDPR / CCPA
No personal data is collected, stored, or processed server-side. Browser-only architecture means no data subject access requests apply. Anthropic maintains GDPR and CCPA compliance for API processing.
Security Controls
✓ Zero data retention — Anthropic API
✓ TLS 1.3 encryption in transit
✓ API key server-side only (Cloudflare Worker secret)
✓ No backend database or server storage
✓ CORS-locked to authorized domains only
✓ Browser-only state — no cookies, no localStorage
✓ No analytics or tracking scripts
✓ All exports generated client-side (PPTX, HTML, clipboard)
No. CPA(k) runs entirely in your browser. Sidebar fields, chat history, and Design(k) linked data are held in JavaScript memory only. When you close the tab, everything is gone. There is no server-side database, no user accounts, and no cookies.
Never. CPA(k) uses the Anthropic enterprise API, which contractually guarantees zero data training. Your inputs and outputs are not stored, reviewed, or used to improve any model.
Only your question text and plan context metadata (entity type, compensation, plan type, owner age). The system prompt containing the IRC/SECURE 2.0 knowledge framework is also sent. No SSNs, employee names, account balances, or tax returns are transmitted unless you manually type them into the chat input.
When launched from Design(k), engine results (contribution amounts, compliance test results, tax savings estimates) are passed via the browser's postMessage API. This is a direct tab-to-tab transfer — no server is involved. The data is held in JavaScript memory and discarded when either tab closes.
The Anthropic API key is stored as an encrypted secret in Cloudflare Workers. It never reaches the browser. When CPA(k) makes an API request, it goes to a Cloudflare Worker proxy which injects the key server-side before forwarding to Anthropic. The browser never sees or handles the key.
CPA(k) provides informational analysis only. It is not a substitute for a qualified CPA or tax attorney. All outputs include disclaimers. The tool is designed to help retirement plan professionals analyze plan design tax implications, not to generate filing-ready documents.
CPA(k) is part of the (k) Suite by Waivz.ai / Anvil & Spark Consulting. The platform uses Anthropic (SOC 2 Type II, ISO 27001) for AI and Cloudflare (SOC 2, ISO 27001, PCI DSS) for infrastructure. All AI processing runs under enterprise API terms with zero data retention guarantees.