Security Disclosure Policy

Last updated: 3 April 2026

1. Reporting a Vulnerability

The security of our platform and our clients' data is our highest priority. If you believe you have found a security vulnerability in the TaxStats platform, we encourage you to report it to us responsibly.

Please email your findings to:

security@taxstats.co.uk

Include as much detail as possible:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code or screenshots

2. Our Commitment

When you report a vulnerability to us in good faith, we commit to:

  • Acknowledgement within 48 hours — we will confirm receipt of your report and provide a point of contact
  • Assessment within 5 working days — we will evaluate the report and provide an initial severity assessment
  • Resolution within 30 days — we will work to fix confirmed vulnerabilities within 30 days, or provide a timeline if a fix requires more time
  • Notification — we will notify you when the vulnerability has been fixed
  • Credit — with your permission, we will publicly acknowledge your contribution to improving our security

3. Safe Harbour

We will not take legal action against individuals who:

  • Report vulnerabilities in good faith following this policy
  • Do not access, modify, or delete data belonging to other users
  • Do not disrupt or degrade our services
  • Allow reasonable time for us to address the issue before any public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

We consider security research conducted in accordance with this policy to be authorised and will not pursue civil or criminal action against researchers acting in good faith.

4. Scope

This policy applies to vulnerabilities in:

  • The TaxStats web platform (portal.taxstats.co.uk)
  • The TaxStats API (api endpoints)
  • Authentication and authorisation systems
  • Data storage and encryption

The following are out of scope:

  • Social engineering attacks against TaxStats staff or clients
  • Denial of service attacks
  • Physical security of our offices
  • Third-party services we integrate with (HMRC, Stripe, Finexer) — please report issues with those services directly to them

5. Contact

For security reports: security@taxstats.co.uk

For general enquiries: info@taxstats.co.uk

TaxStats Cloud Ltd
56 Oldham Road, Ashton-Under-Lyne, England, OL6 7AP

If you have any questions about this policy, please contact us:

TaxStats Ltd

Work.Life, 30 Brown Street, Manchester, M2 1DH

Email: info@taxstats.co.uk

Phone: +44 (0) 161 552 4774

Company Registration: 10445962