Security
How we protect your financial data, HMRC credentials, and bank records.
Data encryption at rest
All data stored in LandlordTaxAi — including transaction records, property details, account information, and HMRC OAuth tokens — is encrypted at rest using AES-256. This is the same encryption standard used by UK financial institutions and government departments.
Our primary database runs on Neon Postgres (EU West region). Neon provides AES-256 encryption at the storage layer and supports point-in-time recovery for backup purposes. Your data does not leave the EU.
Encryption in transit
All connections between your browser and LandlordTaxAi are encrypted using TLS 1.3. TLS 1.2 connections are not accepted. Our infrastructure runs on Cloudflare Workers, which enforces minimum TLS version at the edge.
Connections between our application and HMRC's MTD API are also TLS-encrypted. HMRC requires TLS 1.2 or higher for all API connections; we enforce TLS 1.3.
Data residency
Your data is stored in the EU West region (Ireland), which is within the UK GDPR adequacy framework. Application traffic is handled by Cloudflare Workers at UK edge nodes — meaning requests from UK users are processed in the UK before reaching our database.
Uploaded bank statement CSV files are processed in memory during categorisation and stored in Cloudflare R2 with encryption at rest. Files are retained for the duration of your subscription and deleted within 30 days of account closure.
Authentication
LandlordTaxAi uses Supabase Auth with magic link sign-in. You receive a time-limited sign-in link by email — there is no password to be phished or reused. Magic links expire after 60 minutes.
Two-factor authentication (2FA) is on the roadmap. We will add TOTP (authenticator app) support before the end of 2026. Sign up to release notes to be notified when it launches.
Each user account is fully isolated. You can only access your own properties, transactions, and submissions. There is no account-sharing or multi-user access in the current version.
HMRC connection (OAuth 2.0)
When you connect LandlordTaxAi to HMRC, we use the OAuth 2.0 authorisation code flow— the same mechanism used by all HMRC-connected software. You are redirected to HMRC's Government Gateway to sign in and grant permission. We never see your HMRC password or Government Gateway credentials at any point.
HMRC issues us a short-lived access token and a refresh token. Both tokens are encrypted at rest using AES-256 before being stored. The access token is used only to make authorised API calls on your behalf and is never transmitted to third parties.
You can revoke LandlordTaxAi's access to your HMRC account at any time via your Government Gateway account at gov.uk/log-in-register-hmrc-online-services. Revoking access does not delete your LandlordTaxAi account or records.
Bank statement uploads
LandlordTaxAi uses CSV file importrather than Open Banking. You export a CSV from your bank's online portal and upload it. We never store your bank login credentials, never connect directly to your bank account, and never request Open Banking authorisation.
This approach is deliberately conservative. Open Banking is convenient but requires you to trust a third-party FCA-authorised provider with ongoing read access to your account. CSV import gives you full control over what data is shared and when.
Payment security
Subscription payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. LandlordTaxAi never receives, stores, or transmits your card number. All card data is entered directly into Stripe's hosted payment form and handled entirely within Stripe's PCI-compliant environment.
Backups and recovery
Our Neon Postgres database supports point-in-time recovery (PITR) with a 7-day recovery window. This means we can restore your data to any point within the last 7 days in the event of data loss. Uploaded files are stored in Cloudflare R2, which replicates data across multiple availability zones automatically.
We do not offer a self-service data export yet — this is on the roadmap. If you need a full data export for any reason, contact hello@landlordtaxai.co.uk and we will process the request within 5 working days.
UK GDPR compliance
LandlordTaxAi complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We process your personal data only to provide the service and meet our legal obligations.
You have the right to access, rectify, erase, and port your personal data. See our GDPR rights page for how to exercise these rights. Full details of what we process and why are in our Privacy Policy.
Security roadmap
Reporting a security vulnerability
If you discover a security vulnerability in LandlordTaxAi, please report it responsibly by emailing security@landlordtaxai.co.uk with the subject line “Security disclosure”. Please include a description of the vulnerability, steps to reproduce it, and any potential impact. We aim to acknowledge reports within 48 hours and resolve confirmed vulnerabilities within 14 days. We do not pursue legal action against researchers acting in good faith under coordinated disclosure.