Skip to main content
E2E Compliance

Security

How we protect your data at E2E Compliance

We take the security of your tax data seriously. Our platform is built on Google Cloud infrastructure with multiple layers of encryption, strict access controls, and UK data residency. Below is a summary of our security controls.

Encryption

  • AES-256-GCM encryption for National Insurance numbers, UTR, and HMRC OAuth tokens
  • All data transmitted over HTTPS with TLS encryption
  • Google-managed encryption at rest for all Firestore and Cloud Storage data
  • HSTS enforced with 1-year max-age

Infrastructure

  • Hosted on Google Cloud (Firebase) in europe-west2 (London) for UK data residency
  • Firestore security rules enforce owner-only access to tax return data
  • Cloud Functions run in the same UK region with least-privilege IAM roles
  • File uploads restricted to 5MB, JPEG/PNG/PDF only

Authentication & Access

  • Firebase Authentication with Google OAuth and email/password
  • Password policy: minimum 8 characters, uppercase, lowercase, and number required
  • HMRC connection uses OAuth 2.0 + PKCE — we never see your Government Gateway password
  • Role-based access control: admin, user, and consultant roles
  • Consultants only see redacted return snapshots — never raw user accounts

Privacy & Data Minimisation

  • Tax calculations use a deterministic TypeScript engine — not AI
  • AI features send only the minimum context needed for each request
  • Sentry error monitoring redacts National Insurance numbers and strips cookies
  • UTR numbers are redacted on payment pages
  • No data is sold or shared for marketing purposes

Security Headers

  • HTTP Strict Transport Security (HSTS) enforced
  • X-Frame-Options: DENY — prevents clickjacking
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Content Security Policy headers on Cloud Functions

Consultant Isolation

  • Client return data is copied to a redacted snapshot for consultant review
  • Consultants cannot access the original user account or raw Firestore documents
  • NI numbers and UTR are stripped from consultant-visible snapshots
  • Self-review protection: consultants cannot review their own returns

Compliance

  • UK GDPR compliant with documented lawful bases for all processing
  • Data retention aligned with HMRC record-keeping requirements (7 years)
  • Granular cookie consent with essential, analytics, and marketing categories
  • Terms of Service acceptance required at sign-up
  • Data subject rights supported: access, rectification, erasure, portability

Monitoring & Incident Response

  • Sentry error monitoring with real-time alerts
  • Firebase Analytics for service health monitoring
  • HMRC API audit logging for all MTD interactions
  • Cloud Function rate limiting on sensitive endpoints

Report a Security Issue

If you discover a security vulnerability, please report it responsibly by emailing security@e2ecomply.com. We aim to acknowledge reports within 24 hours.

For privacy-related queries, see our Privacy Policy.