AI TaxPilot← Back to site
SECURITY

Security Statement

How we protect customer data in AI TaxPilot

Aicountant Ltd (trading as AI TaxPilot) Version 1.0 — Effective 01 May 2026

1. Our commitment

At Aicountant Ltd, trading as AI TaxPilot, we treat the security of customer data as a non-negotiable. The Service handles tax records, financial figures and supporting documents that customers expect to remain private and accurate. This Security Statement summarises the technical and organisational measures we use to keep that data safe and to meet our obligations under the UK GDPR, the Data Protection Act 2018 and the HMRC Developer Hub Terms of Use.

2. Governance

  • Our Director and Data Protection Officer, Haroon Ibrahim, owns information security and is the senior point of accountability.
  • We maintain documented information-security and data-protection policies, reviewed at least annually.
  • We maintain records of processing activities under Article 30 UK GDPR.
  • We are registered with the Information Commissioner's Office. Registration number: [ICO REGISTRATION NUMBER — registration in progress].

3. Infrastructure security

  • The Service is hosted with GoDaddy on infrastructure that uses physical access controls, redundant power and cooling, and 24/7 monitoring.
  • Production environments are logically separated from development and test environments.
  • Networks are protected by firewalls, intrusion detection and continuous logging.
  • Servers are patched against known vulnerabilities on a defined schedule.
  • We perform encrypted, automated backups with tested restore procedures.

4. Application security

  • All connections to the Service use TLS 1.2 or higher with strong cipher suites.
  • Customer data is encrypted at rest in production databases, backups and document storage.
  • Passwords are stored using salted, industry-standard one-way hashing — we never see your password in plain text.
  • Multi-factor authentication is available to all users and required for staff and administrative access.
  • We follow secure development practices, including peer code review, automated dependency scanning, and security tests in our build pipeline.
  • We carry out regular vulnerability scans and commission independent penetration tests at least annually.

5. HMRC fraud prevention

As a recognised Making Tax Digital software provider, we are legally required to transmit fraud prevention header data with every API call to HMRC. We do this in accordance with the HMRC Fraud Prevention Header Data Compliance and Sanctions Guidelines and we never knowingly suppress, modify or falsify those headers. The categories of data sent are described in our Privacy Policy.

6. AI security

  • AI features are powered by Anthropic PBC under a written agreement that prevents training on customer data.
  • Customer data sent to AI features travels over encrypted connections.
  • We log AI requests and responses for a limited period to support debugging and abuse detection, then delete them on a rolling basis.
  • Customers can opt out of AI features in account settings; doing so reduces functionality but is fully supported.

7. Access control

  • Staff access to production systems and customer data is granted on a least-privilege basis and reviewed regularly.
  • Privileged actions require multi-factor authentication.
  • Joiner, mover and leaver processes ensure access is provisioned and revoked promptly.
  • All staff are bound by confidentiality obligations and complete data-protection and information-security training on induction and at least annually.

8. Monitoring and incident response

  • We log security-relevant events and review them for anomalies.
  • We have a documented incident response plan with defined roles and communication paths.
  • We aim to detect and contain incidents quickly, and to keep affected customers informed.
  • Where a personal data breach is likely to result in risk to data subjects, we notify the ICO within 72 hours and notify customers without undue delay.

9. Business continuity

  • We back up production data regularly and test restore procedures.
  • We have a documented business continuity and disaster recovery plan, reviewed at least annually.
  • We aim to minimise downtime and to communicate clearly with customers if it occurs.

10. Data location and transfers

Customer data is primarily processed in the United Kingdom. Some sub-processors may process data outside the UK; we use UK adequacy decisions, the International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses (supported by transfer risk assessments) to safeguard those transfers. Our current sub-processors and their locations are listed in our Data Processing Addendum.

11. Customer responsibilities

Security is a partnership. We ask customers to:

  • Use a strong, unique password and enable multi-factor authentication.
  • Keep login credentials and API keys secret and not share accounts.
  • Promptly remove access for users who leave their organisation.
  • Keep their devices and browsers up to date.
  • Report any suspected security issue to security@aicountant.co.uk.

12. Responsible disclosure

If you are a security researcher, we welcome reports of vulnerabilities at security@aicountant.co.uk. We ask you to: give us a reasonable time to investigate and remediate before any public disclosure; not access or modify customer data; not perform testing that degrades the Service for others; and stay within the law. We will acknowledge reports promptly and keep you informed of progress.

13. Compliance and certifications

  • We comply with the UK GDPR, the Data Protection Act 2018, PECR and the HMRC Developer Hub Terms of Use.
  • We follow industry-standard guidance such as the NCSC Cyber Essentials principles and the OWASP Top Ten for application security.
  • Specific certifications we hold or are working towards: [Cyber Essentials / Cyber Essentials Plus / ISO 27001 — list as achieved or in progress].

14. Changes to this statement

Security is an ongoing programme. We may update this Statement from time to time and will publish the latest version at https://www.aitaxpilot.com.

15. Contact

Security queries: security@aicountant.co.uk Privacy queries: privacy@aicountant.co.uk General support: support@aicountant.co.uk Aicountant Ltd 61 Bridge Street, Kington, United Kingdom, HR5 3DJ Companies House number: 17193613 Data Protection Officer: Haroon Ibrahim Website: https://www.aitaxpilot.com

Questions? Contact our Data Protection Officer at dpo@aitaxpilot.com or write to Aicountant Ltd, England & Wales.