Security at TaxMate

TaxMate holds the kind of information a bank holds — income, tax references, identity documents. We believe you deserve to know exactly how it's protected, in plain English.

Mandatory two-step login

Every account — client, accountant, or administrator — must set up an authenticator app before seeing any data. There are no exceptions and no way to opt out.

UK data residency

Your records are stored in a London (UK) data centre. Files and documents live in encrypted storage in the same region.

Encryption, twice over for the crown jewels

All data is encrypted in transit (TLS) and at rest. Your UTR and National Insurance number are additionally encrypted at the application level with AES-256, so even direct database access reveals only the last four digits.

The database enforces who sees what

Access rules live inside the database itself (row-level security), not just in the app. A client can only ever read their own records; an accountant only their assigned clients. Even a bug in the app cannot leak another person's rows.

Sensitive data requires a verified session

Tables holding tax references and documents refuse to answer unless the request comes from a session that passed two-step verification — enforced by the database, not the interface.

Tamper-proof audit trail

Every sensitive action — a document viewed, data exported, a return status changed — is recorded in an append-only log that cannot be edited or deleted through the application.

Card details never touch us

Payments run entirely through Stripe. We never see, store, or transmit your card number.

Least-privilege by design

Administrative access is audited, service credentials never ship to the browser, and secrets are kept out of the codebase entirely.

Before public launch

We are currently in private beta. Before opening to the public, TaxMate will undergo an independent penetration test and pursue Cyber Essentials certification — and we'll publish that status here. Honesty about where we are matters more to us than badges.

Found a vulnerability?

Tell us privately at hello@jjplatformstudio.de and we'll respond quickly, fix it, and credit you if you'd like. We will never take action against good-faith security research.