Knowledgebase Support HMRC Useful links
Knowledgebase home
Tax Return Production
Accounts Production
Client Hub
Practice Management
VAT Filer
CloudConnect
Anti-Money Laundering
Support home
Hot Topics
SimpleStep Guides
Release Notes
Technical
Known Issues

HMRC Status
Useful Links
MTD for Agents MTD for Businesses What is MTD
Preparation
Agent Services Account
MTD for VAT
MTD for Income Tax
MTD for VAT
Digital Record Keeping
Quarterly Updates
Step-by-step Guide
HMRC's MTD Timeline
TaxCalc's MTD Journey

Accountancy Practices and Tax Advisors
PRACTICE MANAGEMENT
Practice Management
Client Hub
Companies House Integration


PRACTICE COMPLIANCE
AML Centre
NEW

AML Identity Checking
GDPR Centre  
COMPLIANCE SERVICES
TAXATION AND HMRC
Tax Return Production
Vat Filer

FINANCIAL REPORTING
Accounts Production

COMPANY SECRETARIAL
Company Incorporator
Companies House Forms
COMMUNICATION MANAGEMENT
eSign Centre


SERVICES
CloudConnect

CloudConnect and GDPR

Article ID: 2833
Last updated: 30 May, 2018

As well as TaxCalc’ s general preparations for GDPR as a data controller and data processor (detailed here: TaxCalc's approach to GDPR) the CloudConnect product has specific additional details. Our cloud service is a core processing focus and we operate it on a data processor basis. CloudConnect is continually under review and regular updates are performed to ensure it complies with regulatory changes such as GDPR.

Encryption

CloudConnect databases are stored with Mythic Beasts LTD in the UK. Each server has a disk encryption to provide Security-At-Rest and Security-In-Transit. Our emergency disaster recover methodology uses similar process.

Access Control

We have privacy and non-disclosure contracts in place with our providers to ensure security of the data held in our databases. Effectively this means that our providers can and will do no more than host devices and reboot the systems in the event of an outage.

Any successful access to any server is via explicit firewall permissions and multi-factor authentication (MFA) tooling. These technical methods are coupled with extensive data protection policies in our employment contracts to ensure that staff do not access data held within customer databases without your explicit documented instruction.

Each database we hold for you is protected with unique usernames and passwords to prevent intra-server breaches. They are ‘ring-fenced’ as individual databases (rather than using one big database).

Data Retention

We remove database backups from our servers frequently, retained as per our Backups Attachment to the Cloud Service Agreement.

Monitoring, Testing and Remediation

Our 24/7 in-house monitoring and alerts system includes issue detection (including breach/intrusion) is handled by our Cloud team.

The automated monitoring system has hundreds of sensors implanted throughout our Cloud infrastructure. These alert us if there are any detectable problems. The quantum of ‘detectable’ is of course a moving target. New threats emerge constantly, the environment of the internet changes and as we develop the service, as with any software provider, we occasionally incur bugs too - which we aim to fix as soon as possible.

We have a whole team dedicated to maintaining and developing the CloudConnect service. Ongoing activities include:

  • We receive notifications from a variety of security lists and websites. All devices are patched to the latest versions on a regular patch cycle basis; this ensures that any application/package level vulnerabilities are addressed quickly.
  • Reactive actions when a security problem is detected through the monitoring system.
  • We perform regular penetration testing with a third party to highlight any improvements that need to be made. These are all assessed, documented, scheduled and actioned.

Cloud Server Supplier Confidence

Our data servers are operated by Mythic Beasts (main servers) and Bytemark. As mentioned above when deciding to use suppliers we have privacy and non-disclosure contracts in place to ensure security of the data held on the databases. We also engaged in lengthy due diligence process – in selecting Mythic Beasts, for example, we ensured that there would be no US data authority entanglements.

Article ID: 2833
Last updated: 30 May, 2018
Revision: 2
Views: 72
This article was: