HMRC Regulatory Update: From May 2026, conveyancers filing SDLT returns must register as tax advisers.
Security You Can Rely On For Sensitive Client Data
SDLT calculations involve sensitive client data—names, addresses, financial details. We protect it with security standards used by banks and government agencies, supporting the trust your clients place in your practice.
Security at a Glance
Data Encryption
AES-256 at rest, TLS 1.3 in transit
Data Residency
UK only — data never leaves the UK
Access Control
Role-based permissions, 2FA available
Compliance
GDPR, ICO registered, Cyber Essentials Plus
Certifications
SOC 2 Type II (in progress)
Uptime SLA
99.9% guaranteed
Penetration Testing
Annual third-party testing
Business Continuity
Daily encrypted backups, disaster recovery
Data Security
How We Protect Your Client Information
Encryption
In transit:
All data transmitted between your browser and our servers is encrypted using TLS 1.3—the latest and most secure transport protocol. This is the same encryption standard used by banks for online banking.
At rest:
All stored data is encrypted using AES-256 encryption—the standard approved by governments for classified information. Even if someone physically accessed our servers, the data would be unreadable without encryption keys.
Key management:
Encryption keys are managed through a dedicated key management service with automatic rotation. Keys are never stored alongside the data they protect.
UK Data Residency
Your data never leaves the United Kingdom.
All SDLT Check infrastructure is hosted in UK data centres. This includes:
- ✓Application servers
- ✓Databases
- ✓Backups
- ✓Logs
- ✓Analytics
Why this matters:
- • Simplifies GDPR compliance
- • No cross-border data transfer concerns
- • Subject to UK data protection law
- • No US CLOUD Act exposure
Access Control
Role-based permissions:
Two-factor authentication (2FA):
Optional but recommended. When enabled, logging in requires:
- 1. Your password
- 2. A time-based code from your authenticator app
Supported authenticators:
- • Google Authenticator
- • Microsoft Authenticator
- • Authy
- • Any TOTP-compatible app
Audit Logging
Every action in SDLT Check is logged:
| Event | What's Recorded |
|---|---|
| Login | User, timestamp, IP address, device |
| Calculation created | User, timestamp, file reference |
| Calculation verified | Verifier, timestamp |
| Report exported | User, timestamp, format |
| User added/removed | Admin, timestamp, affected user |
| Settings changed | Admin, timestamp, what changed |
Log retention:
Audit logs are retained for 7 years—aligned with legal document retention requirements.
Log access:
Managers and Admins can view audit logs for their firm. Logs can be exported for compliance purposes.
Infrastructure & Reliability
Built for Business-Critical Operations
99.9% Uptime SLA
We guarantee 99.9% uptime—that's less than 9 hours of downtime per year.
Redundancy & Failover
No single point of failure.
Disaster Recovery
Backup schedule:
- • Full database backup: Daily
- • Incremental backups: Hourly
- • Transaction logs: Continuous
Backup security:
- • All backups encrypted with AES-256
- • Stored in separate UK data centre from primary
- • Tested monthly for restoration integrity
Regulatory Compliance
Meeting Your Professional Obligations
GDPR Compliance
Fully compliant with UK GDPR and Data Protection Act 2018.
Download Data Processing Agreement →SRA Alignment
Supports SRA compliance obligations for secure client information handling.
Application Security
How We Build Secure Software
Penetration Testing
Annual third-party testing by independent security specialists.
Vulnerability Management
How we handle vulnerabilities:
Third-Party Security
All third-party services undergo security review before integration.
| Service | Purpose | Security |
|---|---|---|
| AWS (UK regions) | Infrastructure | SOC 2, ISO 27001 |
| Stripe | Payment processing | PCI DSS Level 1 |
| Auth0 | Authentication | SOC 2, ISO 27001 |
| Datadog | Monitoring | SOC 2 |
Security Documentation
Everything Your IT Team Needs
Security Overview
2-page summary for decision-makers
Technical Security Whitepaper
Detailed technical controls
Data Processing Agreement
GDPR-compliant DPA
Penetration Test Summary
Executive summary (NDA required)
Cyber Essentials Certificate
Current certification
Sub-processor List
Current third-party services
Frequently Asked Questions
Where is my data stored?
All data is stored in UK data centres. Your data never leaves the United Kingdom. This includes primary storage, backups, and logs.
Is SDLT Check GDPR compliant?
Yes. We're fully compliant with UK GDPR and the Data Protection Act 2018. We act as a data processor on your behalf, and we provide a Data Processing Agreement for all customers.
Can I delete client data when a matter closes?
Yes. You can delete individual calculations at any time. For bulk deletion or account closure, contact support. Note that some data may be retained for legal/regulatory compliance.
What happens if SDLT Check is breached?
In the unlikely event of a data breach, we would: (1) Contain and investigate immediately, (2) Notify affected customers within 72 hours, (3) Notify the ICO if required, (4) Provide full transparency, (5) Offer appropriate remediation. We carry cyber liability insurance to cover breach response costs.
Do you share data with third parties?
We share minimal operational data with infrastructure providers (necessary for service delivery). We never sell data. We never share calculation content with third parties. See our sub-processor list for details.
What certifications do you have?
Currently: Cyber Essentials Plus, ICO registration. In progress: SOC 2 Type II (expected Q2 2025). We also align with ISO 27001 controls, though we're not currently certified.
Ready to See SDLT Check in Action?
Security questions? Let's talk. Our team is happy to discuss security requirements, complete questionnaires, or arrange technical deep-dives with your IT team.