Security Policy

UK, EU, AU And US Deployments

We use private cloud facilities from AWS. We use automated scripts to create and manage our server environments, ensuring that firewalls are correctly installed and that the Taxteq application is configured and updated correctly.

Channel Islands Deployment

The Sure facilities in Jersey and Guernsey are Tier 3 data centres, each provides multiple redundant internet connections, uninterruptible power supplies backed by gas turbine generators, fully logged proximity card access and CCTV monitoring. We contract with Calligo, in its capacity as an IaaS provider, who manage hardware within these two data centres. Calligo personnel have no operational involvement in the Taxteq application other than to maintain the IaaS platform and external network.

For our Channel Islands data centres, we route network traffic through AWS in London, where we operate a layer 3 reverse proxy that directs traffic to Jersey and Guernsey. Note that this traffic remains encrypted throughout its time in AWS: SSL/TLS connections are unbroken between our clients' browsers and SSL/TLS termination in Jersey/Guernsey, with the AWS infrastructure performing the role of routing the encrypted traffic. The use of AWS enables a degree of DDoS protection through AWS Shield. We intend to add application-level features (such as temporary IP blocks that are pushed upstream) to provide more granular protection.

Data Handling

Taxteq handles all documents, document and folder names, internal messages, questions and answers from the Q&A module, entity names and properties, names and details of financial accounts and transaction details, and data stored in custom tables (collectively “data”) as follows:

1. Encrypted Transit

256 bit SSL/TLS encryption employed for all communications, protecting data from being read while it is travelling across the internet. This is industry standard and the same technology used by online banking facilities.

2. Encrypted Storage

Taxteq encrypts data before storing it to disk using an AES-256 cipher with a randomly generated, room-specific key. That key is itself encrypted using the passwords of each user that you authorise. None of the encryption keys or user passwords are retained by Taxteq.

Therefore, sensitive data is only readable to authorised users using their respective passwords. Taxteq administrators have no special access, and even a thief in possession of a stolen server would not be able to recover your data without the correct passwords.

Encryption Standards

We regularly review available encryption technology and the emergence of any potential weaknesses in the techniques employed by Taxteq to ensure that Taxteq is secure.

AES-256 is a widely used cipher that is currently considered to be secure. No practical weaknesses in the cipher have been found (and Taxteq's use of AES-256 does not permit the related key attacks that have been found to affect AES-256). An effort to find a 256 bit key by brute force would take billions of years using available technology.

Taxteq’s use of the SSL/TLS protocol for encrypting data in transit follows industry best practice and is the best available option for securing transactions on the internet. We periodically upgrade the selection of cipher suites accepted by our webservers, balancing the need for security with the need for compatibility with the browsers and devices used by our customers and their clients. We remain aware of the possibility of SSL/TLS weaknesses being discovered and react swiftly when appropriate.

How Does Taxteq Protect Against:

1. Eavesdropping

Taxteq protects against eavesdropping by using industry standard SSL/TLS encryption, which applies from end to end (ie. from our secured servers in the nominated jurisdiction, to the browser of the user accessing the service). No intermediate services (such as proxy services) have visibility of this traffic in an unencrypted form.

2. Physical Attacks on Taxteq Servers

Taxteq servers are housed in secured data centres, restricting physical access to authorised personnel. Data stored on these servers is encrypted, rendering it unreadable in the event of unauthorised physical access to our servers.

3. Remote Attacks on Taxteq Servers

Taxteq servers are protected by two independent layers of firewalls and are monitored for unusual activity. Further, Taxteq’s application and database software layers are isolated from one another and strictly locked down, limiting the scope of any external attack. Finally, as information in each Taxteq room is encrypted separately, a weakness in the Taxteq software itself cannot result in data being revealed from any room to which an attacking user does not know the relevant key or user password.

4. Attacks on User Machines, eg. Viruses and Keyloggers

Taxteq does not provide any defence against attacks on the machine that the user is using to log in. For example, if an attacker is able to install software that captures keystrokes and screenshots, that software may be able to capture an authorised user’s Taxteq password and use it to log in to Taxteq.

This vulnerability is not unique to Taxteq – such a capture program or virus could allow regular emails to be read or any communication to be intercepted. The best defence is to use a quality virus scanner and to regularly upgrade your operating system and browser software. Taxteq does scan uploaded documents for known viruses and quarantines any infected files that it finds, and does record an audit trail of user access, which can be used to identify but not prevent unauthorised user access.

5. Modification of the Taxteq software to weaken security

We monitor the consistency and authenticity the Taxteq software on our servers to ensure that the security provided by Taxteq not weakened or compromised by authorised or unauthorised modifications to the software itself.

6. Legal action

At present, Taxteq's home jurisdiction of Jersey has no law that would require us to divulge or assist in the decryption of data from the Taxteq system. However, this situation could change. If we are ordered under a future Jersey law or court order, we may be compelled to weaken the security of the Taxteq software in such a way that causes subsequent interactions by one or more users with Taxteq to be disclosed. It is probable in such a circumstance that we will be unable to inform you. In practical terms, it would be much easier for interested authorities to demand information directly from you (or a user that is authorised to read the data), either through regulatory or law enforcement channels.

Monitoring Assurance

This security statement is backed by Taxteq's internal security policies, which mandate: