Skip to main content
Making Tax Digital
Get started
SECURITY & PRIVACY

Your tax data deserves more than a padlock icon

We handle National Insurance Numbers, HMRC OAuth tokens, and quarterly tax submissions. Here is precisely what we do — and do not do — to protect that data.

AES-256-GCM encryption at rest

HMRC OAuth tokens, your National Insurance Number, and bank OAuth credentials are each encrypted with domain-isolated keys before they touch the database. Separate keys limit blast radius if any one key is ever compromised.

HMRC OAuth — your password never leaves HMRC

We connect to HMRC via the official OAuth 2.0 authorisation flow. You log in on HMRC's own website. We receive a scoped access token — never your Government Gateway password — and you can revoke access at any time via HMRC's Manage Authorised Applications.

Encrypted credential storage throughout

HMRC tokens, bank tokens, NINOs, and organisation database connection strings are all stored encrypted. The schema enforces this with explicit column naming conventions so plaintext storage is structurally blocked for sensitive fields.

AUTH CONTROLS

Multi-factor authentication built in

TOTP-based MFA (authenticator app) is available on every account. Once enabled, your 6-digit code is required alongside your password. Sessions are time-limited and sign-out is enforced server-side.

  • TOTP authenticator app support

  • Backup codes for account recovery

  • Role-based access: owner, admin, member

  • Email verification required before dashboard access

  • Admin RBAC enforced server-side on every request

Making Tax Digital dashboard showing secure authenticated workspace

DATA ARCHITECTURE

What we store, what we encrypt, what we never touch

National Insurance Number

Stored with AES-256-GCM encryption under a dedicated NINO_ENCRYPTION_KEY, isolated from HMRC token encryption. Never logged, never in URLs, never transmitted in plaintext.

HMRC OAuth tokens

Access and refresh tokens stored encrypted under a separate HMRC_TOKEN_ENCRYPTION_KEY. Auto-refreshed before expiry via background jobs. Token expiry warnings sent at 30 and 7 days.

Open Banking credentials

TrueLayer OAuth tokens encrypted under BANK_TOKEN_ENCRYPTION_KEY. Bank account sort codes and account numbers encrypted at rest. Consent expiry tracked and enforced.

Audit log showing every transaction change with timestamps

AUDIT & ACCOUNTABILITY

Every change is logged. Every submission is traceable.

The audit log records every transaction categorisation, exclusion, edit, and HMRC submission with the user, timestamp, and IP address. If a question ever arises about what was submitted to HMRC and why, you have a clear, timestamped record.

  • Transaction-level change history (who, what, when)

  • HMRC submission events with correlation IDs

  • Accessible under your account menu — always available

  • Protects you if a submission discrepancy is ever disputed

INFRASTRUCTURE

Built on verified infrastructure, not roll-your-own

Content Security Policy

CSP headers restrict which scripts, frames, and connections the application can make — limiting the impact of any injected content. X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security are all enforced.

Rate limiting on sensitive endpoints

HMRC OAuth initiation, authentication endpoints, and feedback routes are rate-limited. Distributed rate limiting prevents credential stuffing even across serverless instances.

Row-level security on tenant data

Database-level row security is enforced on key tables so an application-layer query error cannot leak one landlord's financial data to another. Org context is verified on every request.

HMRC fraud prevention headers

Every HMRC API call includes the full suite of Gov-Client-* and Gov-Vendor-* fraud prevention headers required by HMRC's MTD specification — device ID, connection method, browser plugins, and more.

OPEN BANKING

Bank connections are read-only and consent-bound

Open Banking access via TrueLayer is read-only — we can see your transactions, but we cannot move money. Consent has a defined expiry date. You receive reminders at 30, 7, and 1 day before expiry, and you can disconnect at any time from within the app.

  • Read-only access — no payment initiation

  • Consent expiry tracked and enforced automatically

  • Bank OAuth tokens encrypted under a separate key

  • Disconnect at any time from Bank Accounts settings

Bank accounts connection screen showing connected account

UK GDPR

Your rights under UK data protection law

Right of access

You can request a copy of all personal data we hold — your profile, NINO (masked), properties, transactions, and submissions — at any time.

Right to rectification

Update your name, National Insurance Number, and contact details directly in Settings. Profile data is under your control without raising a support request.

Right to erasure

Account deletion is available from the Settings Danger Zone. This triggers the removal of your credentials, tokens, and personal data in accordance with our documented retention policy.

To exercise any data rights or to ask questions about how your information is handled, email sf-core-org-support-making-tax-digital@saas-factory.ai — full details are in our Privacy Policy and Register of Processing Activities.

Security questions, answered plainly

Ready to file with confidence?

Connect your letting agent, categorise your transactions, and submit your quarterly HMRC return — knowing your credentials and financial data are protected at every step.

Questions? Email sf-core-org-support-making-tax-digital@saas-factory.ai