TaxMTD
Get Started

Security

Last updated: 28 May 2026

Our Commitment#

TaxMTD handles sensitive financial data. We take security seriously and implement industry-standard protections at every layer.

Encryption#

  • In transit: All data is transmitted over TLS 1.3 (HTTPS). No exceptions.
  • At rest: Financial data is encrypted in our database. API keys, tokens, and credentials use additional application-level encryption.
  • Bank credentials: We never see or store your bank login details. Open Banking connections use FCA-regulated protocols via Plaid (FCA FRN 804718).

Authentication#

  • Two-factor authentication (2FA): Supported via TOTP authenticator apps and email OTP. Both methods can be enabled simultaneously.
  • Session management: Secure, HTTP-only cookies with CSRF protection on all mutations.
  • Rate limiting: All API endpoints are rate-limited to prevent brute force attacks.
  • Password security: Passwords are hashed using industry-standard algorithms. We never store plaintext passwords.

Infrastructure#

  • Hosting: EU-based hosting provider regulated under EU GDPR (operator identity available on request via security@taxmtd.uk)
  • Database: Managed PostgreSQL with encryption at rest and AES-256-GCM application-level encryption on sensitive fields
  • CDN / Edge: Cloudflare for DDoS protection, WAF, and edge compute (UK edge preferred for UK users)
  • Backups: Automated daily backups with point-in-time recovery
  • Monitoring: 24/7 uptime monitoring with automated alerting

AI Data Processing#

  • Data minimisation: We only send the minimum data required for each AI operation (transaction descriptions, amounts, categories). We never send bank account numbers, sort codes, or authentication credentials to AI providers.
  • No retention: AI providers (Google Gemini, Anthropic Claude, OpenAI) process data in real time and do not retain your data beyond each request.
  • Provider choice: You control which AI provider processes your data via Settings.

Application Security#

  • CSRF protection: All state-changing API calls require valid CSRF tokens
  • Input validation: All user input is validated and sanitised server-side
  • SQL injection: Prevented via parameterised queries
  • XSS protection: Content Security Policy (CSP) headers, input sanitisation
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options enforced on all responses
  • Audit trail: All critical operations are logged with user ID, timestamp, and action details

HMRC Integration#

  • MTD API: Direct, authenticated connection to HMRC's Making Tax Digital API
  • OAuth 2.0: HMRC credentials use OAuth with token refresh - we never store HMRC passwords
  • Scoped access: We only request the minimum HMRC API scopes required for your submissions

Reporting Vulnerabilities#

If you discover a security vulnerability, please report it responsibly to security@taxmtd.uk. We aim to respond within 48 hours.

Contact#

For security questions, contact us at security@taxmtd.uk.