TL;DR
- We capture every PACT Act data field on every order and generate filing-ready monthly reports per state.
- 50-state OTP rates and filing schedules are tracked. Reports regenerate automatically when a state changes its rate.
- Age verification is BYO (Persona, Veriff, AgeChecker.net). We orchestrate the flow; PII stays with the verification vendor.
- Tobacco license tracking with expiry alerts at 90, 60, and 30 days. No surprise letters from a state department of revenue.
- Boxpress provides the tools and the records. You are still responsible for filing on time and operating lawfully in your jurisdictions.
Cigar businesses operate under one of the heaviest regulatory loads in US retail. Federal PACT Act reporting, state-by-state OTP excise taxes that change without much warning, age verification that has to actually work, federal TTB permits, state tobacco licenses with renewal deadlines, carrier-specific shipping rules. Boxpress was built to carry that load with you, not to hand it back as a spreadsheet. This page summarizes how the platform handles each area, and where the line between "Boxpress provides the tools" and "you are responsible for the filing" falls.
1. PACT Act Reporting
The Prevent All Cigarette Trafficking Act requires anyone shipping cigarettes or smokeless tobacco across state lines to file monthly reports with each state into which they ship, and to register with state and federal authorities. Cigars and pipe tobacco fall under state tobacco-shipping rules that mirror the PACT Act framework in most jurisdictions.
1.1 What Boxpress captures on every order
- Buyer full name and shipping address
- Age-verification record (provider, verification ID, timestamp)
- Shipping carrier (USPS / UPS / FedEx) and tracking number
- Product details (SKU, vitola, ring gauge, pack quantity, weight, taxable category)
- Sale price and order timestamp
- State and locality of origin and destination
- Adult-signature confirmation (where required by state or carrier)
1.2 Reports
The platform generates filing-ready monthly reports per state from the admin UI. Reports include the data fields each state expects, in the formats most states accept (CSV, fixed-width text, or PDF summary depending on jurisdiction). You download, review, and file. We update the report templates when a state changes its required format.
1.3 Your role
You are responsible for: registering your business with each state you ship into, registering with the US Attorney General, filing the generated reports on time (typically by the 10th of the month following the reporting period), and any back-and-forth with state tax authorities. We give you the data; you submit the filing.
2. State Other Tobacco Products (OTP) Excise Tax
Every US state with an OTP excise tax is tracked in the platform with its current rate, calculation basis (manufacturer price, wholesale price, or retail price), and filing schedule. The platform calculates OTP tax on every order, line by line, and aggregates totals per state per filing period.
- Coverage: all 50 states plus DC, with local jurisdictions where applicable.
- Rate basis: manufacturer / wholesale / retail (varies by state) applied automatically based on the destination address.
- Filing schedules: monthly, quarterly, or annual depending on state and your registered status.
- Rate updates: when a state changes its OTP rate, the platform picks up the new rate within 30 days of the effective date and regenerates affected reports for the current filing period.
- Filing-ready reports per state per period, downloadable as CSV or state-specific format.
We do not file your taxes for you. We do not represent you to state revenue departments. We give you the calculation and the submittable report.
3. Age Verification
Cigar and tobacco sales in the United States are restricted to buyers age 21 or older. Boxpress orchestrates age verification through your account with one of the supported providers.
- BYO providers: Persona, Veriff, AgeChecker.net. You sign your own contract with the verification provider; Boxpress integrates.
- Flow:customer at checkout is redirected to the verification provider, completes verification (typically driver's license capture + selfie/match), and the platform receives a signed callback with timing-safe HMAC verification.
- PII stays with the vendor:driver's license images and other identity documents are stored by the verification provider, not by Boxpress. We store only the verification result, the provider transaction ID, and a reusable token.
- Reusable verification: returning customers do not have to re-verify on every order; the token is used to confirm prior verification.
- Checkout gate: unverified customers cannot complete checkout for restricted products. The gate is enforced server-side.
- Audit log: every verification attempt and result is recorded against the order for audit-readiness.
Because you bring your own verification provider, you are the data controller for the PII collected during verification. Boxpress is not the data controller for those flows.
4. Federal TTB Permits
If you manufacture or import tobacco products, you need a federal Tobacco Tax and Trade Bureau permit. Boxpress stores your TTB permit details (encrypted at rest with AES-256-GCM) against your install with renewal date. Permit numbers and supporting documents are accessible to your authorized administrators only and never appear in plaintext in the database.
5. State Tobacco Licenses
- Tobacco license storage per state, encrypted at rest, with renewal date.
- Expiry alerts via email (and SMS for Scale-tier customers) at 90, 60, and 30 days out.
- Audit-ready listing of active licenses by state, downloadable as PDF for state inspections or carrier audits.
- Renewal-status field tracks pending renewals so a license never quietly lapses.
6. Carrier and Shipping Rules
Shipping integrations (USPS, UPS, FedEx, EasyPost, ShipStation, Pirate Ship) honor PACT Act and state-specific carrier rules:
- Adult signature required for tobacco shipments where the law requires it.
- Restricted destinations (states or zip codes you cannot ship to) are blocked at label generation.
- Carrier-specific tobacco endorsements are applied where required.
- The platform will not let you generate a non-compliant label.
7. COPPA and Marketing to Minors
The Children's Online Privacy Protection Act prohibits collecting personal information from children under 13. Boxpress does not market to minors. Tenant installs must enforce 21+ at the age gate (per Section 3 above). The marketing site does not knowingly collect data from anyone under 18 and includes the age gating expected of a tobacco-adjacent service.
8. CAN-SPAM and Marketing Email
Marketing email sent through Proof Points (or Resend) on tenant installs is CAN-SPAM compliant out of the box:
- One-click unsubscribe link in every marketing message.
- RFC 8058 List-Unsubscribe headers.
- Inbound STOP / UNSUBSCRIBE replies processed automatically and propagated across email and SMS channels.
- Physical mailing address required in the email footer.
- Sender identification: the tenant's business name, not "Boxpress."
For SMS, TCPA opt-in language is enforced at signup and STOP handling is automatic.
9. What Boxpress Does Not Do
- We do not file your taxes for you.
- We do not represent you to state or federal regulators.
- We do not give legal advice on whether a particular product is permitted in a particular jurisdiction.
- We do not warrant that our compliance modules eliminate regulatory risk. The cigar regulatory landscape changes; we keep up; we will not catch every change on every day.
We give you the data, the reports, the audit trail, and the alerting. You and your accountant or attorney make the call on what to file, when to file it, and which jurisdictions you operate in.
10. Security and Audit Posture (Compliance-Adjacent)
Per-tenant Postgres database isolation. AES-256-GCM encryption at rest on sensitive fields including tobacco license numbers, EIN, and TTB permit details. TLS 1.3 minimum in transit. Argon2id password hashing. Per-tenant rotating magic-link secrets for support access. Daily backups with 30-day retention. Annual external penetration testing. Internal red-team audits ongoing (most recent surfaced 35 issues across 7 pillars; all Critical and High findings resolved within 24 hours). SOC 2 Type 1 in progress, target Q3 2026; Type 2 target Q1 2027. Full technical detail in the Data Protection Policy.
11. Disclaimer
The information on this page is provided for general guidance only and does not constitute legal, tax, or regulatory advice. Cigar industry regulation varies by state and changes over time. Boxpress provides tools to help you operate lawfully; final responsibility for permit compliance, lawful operation, tax filings, and regulatory representation rests with you and your professional advisors.
12. Contact
Compliance and product questions: [email protected]
Legal: [email protected]
Mailing: Boxpress LLC, [STREET], [CITY], [STATE] [ZIP], United States
Both addresses currently route to [email protected].
Last updated: 2026-05-04