TaxMTD
LoginGet Started

Security

Last updated: 4 April 2026

Our Commitment

TaxMTD handles sensitive financial data. We take security seriously and implement industry-standard protections at every layer.

Encryption

  • In transit: All data is transmitted over TLS 1.3 (HTTPS). No exceptions.
  • At rest: Financial data is encrypted in our database. API keys, tokens, and credentials use additional application-level encryption.
  • Bank credentials: We never see or store your bank login details. Open Banking connections use FCA-regulated protocols via Plaid.

Authentication

  • Two-factor authentication (2FA): Supported via TOTP authenticator apps and email OTP. Both methods can be enabled simultaneously.
  • Session management: Secure, HTTP-only cookies with CSRF protection on all mutations.
  • Rate limiting: All API endpoints are rate-limited to prevent brute force attacks.
  • Password security: Passwords are hashed using bcrypt. We never store plaintext passwords.

Infrastructure

  • Hosting: Directus Cloud with managed PostgreSQL database
  • CDN: Cloudflare for DDoS protection, WAF, and edge caching
  • Backups: Automated daily backups with point-in-time recovery
  • Monitoring: 24/7 uptime monitoring with automated alerting

AI Data Processing

  • Data minimisation: We only send the minimum data required for each AI operation (transaction descriptions, amounts, categories). We never send bank account numbers, sort codes, or authentication credentials to AI providers.
  • No retention: AI providers (Google Gemini, Anthropic Claude, OpenAI) process data in real time and do not retain your data beyond each request.
  • Provider choice: You control which AI provider processes your data via Settings.

Application Security

  • CSRF protection: All state-changing API calls require valid CSRF tokens
  • Input validation: All user input is validated and sanitised server-side
  • SQL injection: Prevented via parameterised queries (Directus ORM)
  • XSS protection: Content Security Policy (CSP) headers, input sanitisation
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options enforced on all responses
  • Audit trail: All critical operations are logged with user ID, timestamp, and action details

HMRC Integration

  • MTD API: Direct, authenticated connection to HMRC's Making Tax Digital API
  • OAuth 2.0: HMRC credentials use OAuth with token refresh - we never store HMRC passwords
  • Scoped access: We only request the minimum HMRC API scopes required for your submissions

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly to security@taxmtd.co.uk. We aim to respond within 48 hours.

Contact

For security questions, contact us at security@taxmtd.co.uk.