Data Security

How we protect your data at every layer of our platform.

Last updated: 01 April 2026Effective: 01 April 2026
Privacy PolicyTerms of UseCookie PolicyData SecurityDPDP ActISO 27001GDPR Policy

1. Our Commitment

At Tax Sahayogi, security is foundational to everything we build — not an afterthought. As an AI-powered tax copilot for Chartered Accountants, we understand that you entrust us with sensitive financial and client data. We take that responsibility seriously.

Our security practices are designed to meet the highest standards expected by Indian tax professionals and are aligned with industry frameworks including ISO 27001 and the Digital Personal Data Protection Act, 2023. We continuously invest in infrastructure, processes, and people to ensure your data remains protected at all times.

2. Infrastructure Security

Tax Sahayogi is hosted entirely on Microsoft Azure, with our primary infrastructure deployed in the Azure Central India region. This ensures that your data is processed and stored within Indian borders, in compliance with data residency expectations.

Key infrastructure measures include:

  • Virtual Network (VNet) Isolation: All backend services operate within isolated Azure Virtual Networks, preventing unauthorised access from external networks.
  • Azure Front Door with WAF: We use Azure Front Door as our global load balancer and entry point, equipped with a Web Application Firewall (WAF) that filters and blocks malicious traffic, including OWASP Top 10 threats.
  • Private Endpoints: Critical services such as databases and storage accounts are accessible only via private endpoints within our VNet, eliminating exposure to the public internet.
  • DDoS Protection: Azure-native DDoS protection is enabled to mitigate volumetric and protocol-level attacks.

3. Encryption

We employ strong encryption standards to protect your data both at rest and in transit.

Encryption at Rest

  • All data stored in our databases and storage systems is encrypted using AES-256 encryption, the industry standard for data-at-rest protection.
  • Encryption keys are managed through Azure Key Vault, a FIPS 140-2 Level 2 validated hardware security module (HSM)-backed service that ensures keys are never exposed in plaintext.

Encryption in Transit

  • All data transmitted between your browser and our servers is protected using TLS 1.2 or higher.
  • Internal service-to-service communication within our infrastructure also uses encrypted channels.
  • We enforce HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

4. Access Controls

We implement strict access control mechanisms to ensure that only authorised individuals and systems can access data.

  • Role-Based Access Control (RBAC): Access to platform resources is governed by RBAC policies. Each user and service account is assigned the minimum permissions necessary to perform their function.
  • JWT Authentication: All API requests are authenticated using JSON Web Tokens (JWT), ensuring that every request is verified and traceable.
  • Principle of Least Privilege: We follow the principle of least privilege across all systems. No individual or service has more access than is strictly required.
  • Multi-Factor Authentication (MFA): All administrative access to our infrastructure and internal tools requires MFA, providing an additional layer of security beyond passwords.

5. Data Isolation

Tax Sahayogi is a multi-tenant platform, and we take tenant data isolation extremely seriously.

  • Tenant Isolation in Cosmos DB: Data is logically partitioned per tenant within Azure Cosmos DB. Each tenant's data is isolated through partition keys and access policies.
  • User-Scoped Queries: All database queries are scoped to the authenticated user's tenant. It is architecturally impossible for one user to access another tenant's data through the application layer.
  • No Cross-Tenant Access: Our application logic enforces strict boundaries between tenants. There are no shared data stores or cross-tenant query paths.

6. Application Security

We follow secure development practices to protect against common web application vulnerabilities.

  • Input Validation: All user inputs are validated and sanitised on both client and server sides to prevent injection attacks.
  • SQL Injection Prevention: We use parameterised queries and ORM abstractions to eliminate SQL injection vulnerabilities.
  • Rate Limiting: API endpoints are protected by rate limiting to prevent abuse, brute-force attacks, and denial-of-service attempts.
  • CORS Policies: Cross-Origin Resource Sharing (CORS) policies are strictly configured to allow requests only from authorised origins.
  • Content Security Policy: We implement CSP headers to mitigate cross-site scripting (XSS) and data injection attacks.

7. Monitoring and Logging

Comprehensive monitoring and logging are essential to detecting and responding to security events in real time.

  • Audit Logging: Every API request is logged with details including the authenticated user, action performed, timestamp, and resource affected. These logs are immutable and retained for compliance purposes.
  • Azure Monitor: We use Azure Monitor and Application Insights for real-time performance monitoring, error tracking, and alerting across all services.
  • Anomaly Detection: Automated anomaly detection identifies unusual access patterns, failed authentication attempts, and potential security incidents for immediate investigation.
  • Centralised Log Management: All logs are aggregated centrally and protected against tampering, ensuring a reliable audit trail.

8. Incident Response

We maintain a formal incident response plan to ensure rapid and effective handling of security events.

  • 24-Hour Detection: Our monitoring systems are configured to detect potential security incidents within 24 hours of occurrence.
  • 72-Hour Notification: In the event of a data breach involving personal data, we will notify affected Data Principals and the Data Protection Board within 72 hours, in compliance with the Digital Personal Data Protection Act, 2023.
  • Post-Incident Review: Every security incident is followed by a thorough post-incident review to identify root causes, assess impact, and implement measures to prevent recurrence.
  • Communication Protocol: We maintain clear communication protocols to keep affected users and stakeholders informed throughout the incident resolution process.

9. Vulnerability Management

We proactively identify and remediate vulnerabilities across our platform.

  • Dependency Scanning: All third-party dependencies are continuously scanned for known vulnerabilities using automated tools. Critical vulnerabilities are patched within defined SLA timelines.
  • Regular Updates: Our infrastructure and application components are regularly updated to incorporate the latest security patches and improvements.
  • Responsible Disclosure Program: We welcome security researchers and industry professionals to report vulnerabilities responsibly. If you discover a potential security issue, please contact us at support@sahayogione.com. We are committed to acknowledging reports promptly and working with reporters to resolve issues.

10. Contact

If you have questions about our security practices or wish to report a security concern, please contact us: