CloudConnect and GDPR

Article ID: 2833
Last updated: 04 Mar, 2024

As well as TaxCalc’ s general preparations for GDPR as a data controller and data processor (detailed here: TaxCalc's approach to GDPR) the CloudConnect product has specific additional details. Our cloud service is a core processing focus and we operate it on a data processor basis. CloudConnect is continually under review and regular updates are performed to ensure it complies with regulatory changes such as GDPR.


CloudConnect databases are stored with Mythic Beasts LTD in the UK. Each server has a disk encryption to provide Security-At-Rest and Security-In-Transit. Our emergency disaster recover methodology uses similar process.

Access Control

We have privacy and non-disclosure contracts in place with our providers to ensure security of the data held in our databases. Effectively this means that our providers can and will do no more than host devices and reboot the systems in the event of an outage.

Any successful access to any server is via explicit firewall permissions and multi-factor authentication (MFA) tooling. These technical methods are coupled with extensive data protection policies in our employment contracts to ensure that staff do not access data held within customer databases without your explicit documented instruction.

Each database we hold for you is protected with unique usernames and passwords to prevent intra-server breaches. They are ‘ring-fenced’ as individual databases (rather than using one big database).

Data Retention

We remove database backups from our servers frequently, retained as per our Backups Attachment to the Cloud Service Agreement.

Monitoring, Testing and Remediation

Our 24/7 in-house monitoring and alerts system includes issue detection (including breach/intrusion) is handled by our Cloud team.

The automated monitoring system has hundreds of sensors implanted throughout our Cloud infrastructure. These alert us if there are any detectable problems. The quantum of ‘detectable’ is of course a moving target. New threats emerge constantly, the environment of the internet changes and as we develop the service, as with any software provider, we occasionally incur bugs too - which we aim to fix as soon as possible.

We have a whole team dedicated to maintaining and developing the CloudConnect service. Ongoing activities include:

  • We receive notifications from a variety of security lists and websites. All devices are patched to the latest versions on a regular patch cycle basis; this ensures that any application/package level vulnerabilities are addressed quickly.
  • Reactive actions when a security problem is detected through the monitoring system.
  • We perform regular penetration testing with a third party to highlight any improvements that need to be made. These are all assessed, documented, scheduled and actioned.

Cloud Server Supplier Confidence

Our data servers are operated by Mythic Beasts (main servers) and AWS. As mentioned above when deciding to use suppliers we have privacy and non-disclosure contracts in place to ensure security of the data held on the databases. We also engaged in lengthy due diligence process – in selecting Mythic Beasts, for example, we ensured that there would be no US data authority entanglements.

Article ID: 2833
Last updated: 04 Mar, 2024
Revision: 3
Views: 383
This article was:  

Also read
item How are CloudConnect backups stored and secured.

Also listed in
folder GDPR Centre