Serious about security
At TaxLab, security is fundamental. Our rigorous adherence to ISO 27001 standards safeguards your sensitive data at every step. Through regular audits, we continuously improve our measures, reflecting our dedication to providing you with peace of mind.
A key company value
TaxLab prioritises security from the outset, not as an afterthought. All activities are conducted with the following objectives:
- Safeguard the confidentiality, integrity, and availability of information, preventing unauthorised access.
- Ensure compliance with evolving regulatory, legislative, and contractual information security standards.
- Uphold data privacy in accordance with regulatory, legislative, and contractual mandates.
ISO 27001-certified
Rest assured knowing TaxLab is certified as compliant with ISO 27001, a globally recognised information security standard.
- Enterprise-wide adoption of Annex A policies and controls.
- Whole-of-organisation certification scope
- Regular, independent external audits
- Ongoing internal and independent penetration testing
Inland Revenue approved record keeping
Inland Revenue has authorised TaxLab to store customer records outside New Zealand under section 22(8)(a) of the Tax Administration Act 1994. This approval meets stringent vendor criteria, so no independent offshore record-keeping approval is needed.
- Approved to store records outside New Zealand.
- Inland Revenue’s strict criteria met.
- No need for independent offshore record-keeping approval.
Security as a feature
TaxLab views security as a fundamental feature. Microsoft Azure provides secure data storage, incorporates encryption, multi-factor authentication, SSO and strict data access controls. Regular updates and geo-redundant backups ensure data integrity and availability and protect valuable tax information.
Infrastructure
TaxLab is deployed on Microsoft Azure, leveraging Azure’s secure, high-performing, and resilient cloud infrastructure. Operating in an isolated Azure environment, TaxLab ensures scalability, reliability, and compliance with ISO 27001 and government security frameworks.
To maintain high availability and data redundancy, TaxLab follows cloud security best practices and undergoes regular load testing to validate performance at scale. Additionally, routine penetration testing helps identify and mitigate potential security vulnerabilities, ensuring robust data protection and regulatory compliance.
Hosting
All data is securely stored in Microsoft Azure’s Australia East (NSW) and Australia Southeast (VIC) regions, ensuring high availability, performance, and compliance with industry security standards. Microsoft’s geo-redundant storage (GRS), encryption, and access controls ensure enterprise-grade security and data protection.
Availability
24/7 protection
TaxLab leverages Microsoft Azure’s enterprise-grade security to provide continuous monitoring and defense against unauthorised access, suspicious activity, and potential denial-of-service (DDoS) attacks. Microsoft’s advanced threat detection and real-time security updates help ensure that data remains protected at all times.
Service recovery
In the event of an unscheduled downtime, TaxLab follows business continuity planning and disaster recovery operating procedures to maintain system availability and performance. We provide a 99.99% uptime commitment under our optional Extended Support Services subscription for systems within our control, ensuring high availability and minimal disruption. This commitment is backed by Microsoft’s 99.99% uptime guarantee for the underlying cloud infrastructure, ensuring resilient and secure service delivery.
Record keeping
Inland Revenue has authorised TaxLab to store customer records outside New Zealand under section 22(8)(a) of the Tax Administration Act 1994. This approval meets stringent vendor compliance requirements, removing the need for independent offshore record-keeping approval.
Authentication
Microsoft single sign-on (SSO)
TaxLab eliminates the need for additional usernames and passwords by leveraging Microsoft Entra ID (formerly Azure AD) for authentication via OpenID Connect, enabling seamless SSO. This integration ensures centralised identity management, aligning with the organisation’s Active Directory security policies while maintaining a secure, reliable, and industry-standard approach to access control. Users log in using their Microsoft 365 credentials, ensuring compliance with existing enterprise security frameworks.
Multi-factor authentication (MFA) is enforced
MFA is enforced directly on all TaxLab accounts and must be enabled in Microsoft 365 (Entra ID, formerly Azure AD). This requirement ensures compliance with government security frameworks and strengthens access control by preventing unauthorised logins. MFA aligns with Active Directory policies, providing an additional security layer while maintaining seamless integration with enterprise authentication standards.
Disaster recovery
Backup
Data is backed up nightly across Microsoft Azure’s Australia East (NSW) and Australia Southeast (VIC) regions, ensuring geo-redundancy, disaster recovery readiness, and compliance with government security frameworks. In the event of system failure or data loss, point-in-time restore enables recovery of recent data history. Backups are accessible within two hours, ensuring high availability and minimal operational disruption. Disaster recovery procedures are tested annually to validate backup integrity and restore processes.
Failover
Data is continuously replicated across multiple Microsoft Azure data centres, providing high availability and redundancy. In the event of an infrastructure failure, immediate failover mechanisms activate to maintain system performance and minimise downtime. Failover is designed to limit potential data loss to a maximum of five minutes of modified data.
Incident management
A structured incident response framework is in place in accordance with ISO 27001, ensuring a systematic approach to detecting, assessing, and resolving security and operational incidents. Continuous monitoring and logging provide real-time threat detection and response, while regular penetration testing proactively identifies and mitigates vulnerabilities. These measures maintain the security, integrity, and availability of all systems.
Certification & compliance
ISO 27001-certified
TaxLab is ISO 27001-certified, an international standard for information security management.
Inland Revenue & ATO compliance
As a Digital Service Provider to the ATO, TaxLab meets all authentication, encryption, data hosting, personnel security, and monitoring requirements. Additionally, Inland Revenue has authorised TaxLab to store customer records outside New Zealand under section 22(8)(a) of the Tax Administration Act 1994, ensuring compliance with government security standards.
Privacy & data protection
We comply with privacy laws in New Zealand and Australia, ensuring the protection of customer data from unauthorised access or disclosure. To learn more, view our Privacy Policy.
Data security
Encryption in transit and at rest
All data transmitted between clients and servers is encrypted in transit using TLS 1.3, with TLS 1.2 available if required. Data at rest is encrypted using AES-256, ensuring compliance with industry standards for data protection. Security controls mitigate risks such as cross-site scripting (XSS) and SQL injection attacks, protecting sensitive data from unauthorised access.
Unique encryption keys
Each TaxLab subscription is secured with unique encryption keys, ensuring logical data isolation between customers. AES-256 encryption is applied at the subscription level to prevent unauthorised access and enforce strong data protection measures.
Penetration testing
TaxLab performs regular penetration testing and security assessments using independent security consultants to identify and mitigate vulnerabilities. These security reviews align with ISO 27001 requirements and form part of our ongoing compliance and risk management strategy.
Access control
Access to production systems and customer data is strictly limited to authorised personnel based on operational necessity. All access is logged, monitored, and subject to audit. Upon request, customer data can be securely deleted, ensuring compliance with data retention and privacy regulations.
User permissions
TaxLab provides user-based access controls, allowing organisations to restrict access based on job functions. This ensures least-privilege access, enforcing security best practices while allowing fine-grained control over user permissions and system settings.
Data ownership & portability
Customers retain full ownership of their data. If a subscription is terminated, customers can export their data in a structured format.
ISO 27001 compliance
TaxLab is ISO 27001-certified, ensuring compliance with internationally recognised security standards for information security management (ISMS). Our certification covers the whole organisation with an enterprise-wide adoption of Annex A policies and controls, ensuring strong data protection and risk management. Security is continuously strengthened through regular, independent audits and rigorous internal and external penetration testing, maintaining the highest standards of security and compliance.
Formal warranties and commitments
TaxLab operates a single Information Security Management System (ISMS) certified to ISO 27001, ensuring a consistent security standard across all customers. Our framework enforces uniform controls, policies, and risk management practices to maintain compliance and protect customer data.
However, formal security warranties are only available under our optional Extended Security Warranty, while uptime commitments and support response times are included in our optional Extended Support Services. These are offered as optional paid subscriptions.
This approach allows us to maintain cost-effective core pricing while providing enhanced security and service guarantees for customers with specific information security and operational requirements.