Keeping your data safe, secure and compliant

When you entrust TaxCalc with your practice and client data, you need clear assurance that it is being properly protected.

This page explains how our controls are governed, how data is protected, and where responsibility sits between TaxCalc and you or your business.

2fa

Trusted by over 12,000 firms of all sizes

Crunch Accounting Logo
AngloDutch Logo
Saul Fairholm Logo
Chapmanworth Logo
AEH Accounting Logo
KRW Accountants
Nuvo Accountants
Mazuma Accountants
Maslins Chartered Accountants
Deans Accountants
Frost Chartered Accountants
Smartview Accountants
Clouders Accountants
Stevepye & Co Chartered Certified Accountants

Our approach

Our approach to compliance and security is based on formal governance, documented controls and independent oversight. We focus on reducing risk, meeting regulatory expectations and giving accountants confidence that customer data is handled lawfully, responsibly and with appropriate safeguards in place.

 

AdobeStock_1478013694

ISO 27001: independently verified security controls

In 2025, TaxCalc achieved certification to ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection.

ISO 27001 is the internationally recognised standard for information security management. Certification confirms that we operate a comprehensive, organisation wide framework of policies, procedures and controls to manage information security risks.

ISO 27001 goes beyond technical safeguards. It requires us to demonstrate that risks to the confidentiality, integrity and availability of information are:

•    Identified and regularly reviewed
•    Controlled through documented, auditable processes
•    Tested and maintained through ongoing internal and external audits

Certification is not a one off exercise. It requires continuous improvement, regular management review and ongoing staff engagement. Our Information Security Management System (ISMS) is actively maintained through formal governance processes, including regular information security meetings involving key stakeholders.

Our ISO 27001 certification can be independently verified via the BSI Certificate Directory.

Contact us
ISO 27001_v4

 

Check-Double

ISO/IEC 27001:2022 certified information security management system

Document-Bookmark-2

Formal, documented governance for data protection and information security

User-Chat-4

Dedicated Compliance function and named Data Protection Officer

Credit-Card-1

PCI DSS compliant payment card processing

Presentation-2

100% of employees receive annual security training

Security that covers technology, people and processes

Information security is not just about systems. Our ISO 27001 framework covers technical, operational and physical controls designed to reduce both digital and non‑digital risks to customer data. This combined approach helps ensure that data protection is embedded across the organisation, not confined to a single team or system.

    • Protection against common cyber threats such as malware, phishing and unauthorised access
    • Use of cryptography and access controls to protect sensitive information
    • Segregation of systems to reduce risk exposure

Governance, accountability and oversight


TaxCalc has defined ownership and accountability for data protection and information security.

Our Data Protection Officer (DPO) is responsible for overseeing compliance with data protection legislation, including the UK GDPR and Data Protection Act 2018, and for managing the Information Security Management System that supports ISO 27001 certification.

Other compliance activities that support the organisation include:
•    Monitoring and implementing data protection policies
•    Advising the business on privacy and information security matters
•    Conducting regular internal audits
•    Identifying appropriate staff training requirements
•    Acting as a point of contact for customers, staff and regulatory authorities

This governance structure ensures appropriate oversight of security related risks.

Wide - Customer Suport 5

Data protection, availability and resilience

Customer data is not just stored — it is actively protected, monitored and governed.

In line with ISO 27001 requirements, we have measures in place to support:

    • Encryption of customer data at rest
    • Regular backup processes designed to support data recovery
    • Business continuity planning to help maintain service availability during technical or operational disruptions

These controls are designed to minimise risk and reduce disruption if something goes wrong, while supporting the availability of your data when you need it.

Data protection, availability and resilience-1

Incident awareness and response

No system can honestly claim to eliminate all risk. What matters is how potential incidents are identified, managed and learned from.

Our information security framework includes:

    • Defined internal processes for identifying and reporting suspected security incidents
    • Response procedures to assess impact and take appropriate action
    • Ongoing review of incidents to identify lessons learned, strengthen controls and reduce future risk

This approach supports prompt, proportionate responses that align with regulatory and professional expectations.

Incident awareness and response_v3

Supply chain and third‑party oversight

Where third parties are involved in processing or supporting customer data, our ISO 27001 framework requires us to carry out appropriate due diligence.

This includes understanding the security controls and certifications of suppliers, helping to reduce exposure to risk across the wider supply chain and ensuring that data protections do not stop at our own organisational boundaries.

Supply chain and third‐party oversight_v3

Payment card data protection

The Payment Card Industry Data Security Standard (PCI‑DSS) is a framework of requirements designed to protect cardholder data and ensure secure payment processing.

TaxCalc does not process card payments directly. Card payment processing is outsourced to Trust Payments, a PCI‑DSS certified merchant.

As a service provider, we meet the requirements applicable to us under PCI‑DSS, including regular vulnerability scanning, completion of required compliance documentation and ongoing oversight of payment‑related controls. This approach helps ensure that payment card data is handled securely.

 

 

closeup-image-of-a-woman-holding-credit-cards-whil-2026-03-16-03-24-57-utc

Clarifying responsibilities

Our role is to provide software and services that support the protection and lawful handling of data within our control.

Your role, as a practice, is to ensure that you use the software appropriately and apply your own internal policies and procedures to meet your professional and regulatory obligations.

ISO 27001 certification and our internal controls support your compliance efforts, but they do not replace your responsibility to operate a compliant practice.

FAQs

Explore our products

Find out more