ISO 27001 Commitment

Our approach to information security management aligned with ISO 27001 standards.

Last updated: 01 April 2026Effective: 01 April 2026
Privacy PolicyTerms of UseCookie PolicyData SecurityDPDP ActISO 27001GDPR Policy

1. Our Commitment to Information Security

Tax Sahayogi is committed to establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) aligned with the ISO/IEC 27001:2022 standard. As an AI-powered tax copilot handling sensitive financial data for Chartered Accountants, we recognise that robust information security is essential to earning and maintaining the trust of our users.

We are actively pursuing ISO 27001 certification and have implemented controls and processes consistent with the standard's requirements. Our ISMS framework provides a systematic approach to managing sensitive information, ensuring its confidentiality, integrity, and availability.

2. Information Security Management System

Our ISMS is built on a risk-based approach that identifies, assesses, and mitigates information security risks across all aspects of our operations.

  • Risk-Based Approach: We identify and evaluate information security risks based on their likelihood and potential impact, and implement appropriate controls to reduce risks to acceptable levels.
  • Continuous Improvement: Our ISMS follows the Plan-Do-Check-Act (PDCA) cycle, ensuring that security controls are regularly reviewed, tested, and improved.
  • Scope: The ISMS covers the entire Tax Sahayogi platform, including our cloud infrastructure, application services, data processing activities, and the personnel and processes that support them.
  • Leadership Commitment: Information security is championed at the highest levels of our organisation, with regular management reviews and dedicated resources for security initiatives.

3. Key Controls Implemented

We have implemented controls aligned with the ISO 27001 Annex A domains. The following outlines the key areas addressed:

A.5 — Information Security Policies

We maintain a comprehensive set of information security policies that are approved by management, communicated to all relevant personnel, and reviewed at planned intervals. These policies establish the direction and principles for information security across the organisation.

A.6 — Organisation of Information Security

Roles and responsibilities for information security are clearly defined and assigned. We have established an internal security governance structure with designated security personnel responsible for overseeing ISMS implementation and compliance.

A.8 — Asset Management

All information assets are identified, classified, and protected according to their sensitivity and criticality. We maintain an up-to-date asset inventory and apply appropriate handling procedures for each classification level.

A.9 — Access Control

Access to information systems and data is restricted on a need-to-know basis using role-based access controls (RBAC). We enforce strong authentication mechanisms, conduct regular access reviews, and promptly revoke access when it is no longer required.

A.10 — Cryptography

We employ strong cryptographic controls to protect the confidentiality and integrity of sensitive data. This includes AES-256 encryption at rest, TLS 1.2+ for data in transit, and secure key management through Azure Key Vault.

A.12 — Operations Security

Operational procedures are documented and made available to all personnel who need them. Key controls include:

  • Audit Logging: All significant system events, including user activities, exceptions, and security events, are logged and monitored.
  • Change Management: All changes to production systems follow a formal change management process that includes review, approval, testing, and rollback procedures.
  • Malware Protection: Anti-malware measures are deployed across our infrastructure and kept up to date.

A.13 — Communications Security

Network security is managed through Azure Virtual Network isolation, network segmentation, and web application firewalls. All external communications are encrypted, and we enforce strict controls on information transfer.

A.14 — System Acquisition, Development, and Maintenance

Security requirements are integrated into every phase of our software development lifecycle. We conduct code reviews, automated security testing, and vulnerability assessments as part of our development and deployment processes.

A.18 — Compliance

We identify and comply with all applicable legal, regulatory, and contractual requirements, including the Digital Personal Data Protection Act, 2023, and GDPR where applicable. Regular compliance reviews ensure ongoing adherence.

4. Risk Assessment

We conduct regular risk assessments to identify and evaluate threats to our information assets and the personal data we process.

  • Regular Risk Assessments: Formal risk assessments are performed at least annually and whenever significant changes occur to our systems, processes, or threat landscape.
  • Threat Modelling: We employ threat modelling techniques to identify potential attack vectors and vulnerabilities in our application architecture and infrastructure.
  • Mitigation Strategies: For each identified risk, we define and implement appropriate mitigation strategies, including technical controls, process improvements, and personnel training. Risk treatment plans are tracked to completion.

5. Employee Security

Our people are a critical part of our security posture. We invest in ensuring that all team members understand and fulfil their security responsibilities.

  • Security Awareness: All employees and contractors undergo security awareness training upon joining and receive regular refresher training. Topics include data handling, phishing awareness, incident reporting, and secure development practices.
  • Access Reviews: User access rights are reviewed periodically to ensure they remain appropriate. Access is promptly adjusted or revoked upon role changes or termination.
  • Non-Disclosure Agreements: All employees, contractors, and third-party personnel with access to sensitive information are required to sign confidentiality and non-disclosure agreements.

6. Supplier Management

We carefully evaluate and manage the security practices of our suppliers and service providers.

  • Azure as Primary Supplier: Microsoft Azure is our primary infrastructure provider. Microsoft maintains its own ISO 27001 certification and undergoes regular third-party audits. We leverage Azure's certified infrastructure to strengthen our own security posture.
  • Supplier Assessments: We assess the security practices of all suppliers who have access to or process our data, ensuring they meet our security requirements.
  • Contractual Safeguards: Data processing agreements with suppliers include specific security requirements, incident notification obligations, and audit rights.

7. Continuous Improvement

We are committed to the ongoing improvement of our information security practices.

  • Regular Audits: Internal audits of our ISMS are conducted at planned intervals to verify that controls are operating effectively and to identify opportunities for improvement.
  • Management Reviews: Senior management conducts periodic reviews of the ISMS to assess its continuing suitability, adequacy, and effectiveness. These reviews consider audit results, incident trends, risk assessments, and stakeholder feedback.
  • Corrective Actions: Non-conformities and areas for improvement identified through audits, incidents, or reviews are addressed through formal corrective action processes with defined timelines and accountability.

8. Contact

If you have questions about our ISO 27001 commitment or information security practices, please contact us: