Security & compliance

Built like the tax records depend on it.

TaxPoynt moves fiscal documents between your systems and the Nigerian Revenue Service. Everything below is shipped and verifiable in the platform today — no roadmap dressed up as fact.

Controls

Six pillars, all in production.

The same controls we declared to the NRS MBS service-provider programme, in plain language.

Encryption in transit
  • TLS 1.2+ (TLS 1.3 supported) on every public endpoint, with managed certificates and automated renewal
  • Outbound NRS MBS calls are TLS-encrypted through an authenticated egress gateway with a static, NRS-registered IP
  • Secure, httpOnly session cookies with short-lived access tokens; HSTS and hardened response headers on the API
  • Inbound webhooks verified with HMAC-SHA256 signatures and timestamp validation; strict CORS allowlist; global rate limiting
Encryption at rest
  • NRS API credentials and ERP connector configs encrypted with AES-256-GCM — unique random IV and authentication tag per record
  • Dedicated encryption key, segregated from authentication secrets; production refuses to boot without it
  • API keys stored as one-way hashes and shown once at issuance; passwords hashed with bcrypt; MFA secrets encrypted at rest
  • Managed PostgreSQL with provider-level disk encryption; key rotation is practiced, not just documented
Multi-factor authentication
  • TOTP (RFC 6238) with QR enrollment, plus ten single-use hashed backup codes
  • Login step-up bound to a short-lived, single-purpose challenge with capped attempts and temporary lockout
  • Disabling MFA requires both the account password and a valid code
  • Every MFA event — enrollment, challenge, disable, lockout — audited with IP and user agent
Tenant isolation
  • Every query is scoped to your organization; sandbox and production environments are isolated end to end
  • NRS credentials, signing keysets, and API keys are held per organization, per environment
  • Database row-level security is built and in staged rollout as a defense-in-depth backstop to application scoping
Auditability & non-repudiation
  • Immutable audit log of every NRS MBS API call, with endpoint, status, and response evidence
  • IRN on every document; FIRS-registered signing with cryptographic QR stamping
  • Authentication and administrative actions audited; telemetry across the API and cockpit
Operational resilience
  • Per-operation timeout budgets, retry with backoff, and circuit breakers on every NRS operation
  • Idempotency keys and trace IDs on every call — an interrupted transmission is reconciled by status pull, never duplicated
  • Public status page with live component states
Practices

How we keep it that way.

Secure development
A CI security gate on every change.
Static analysis, dependency audit, SQL-injection probes, and migration smoke tests — before anything can merge.
Data protection
NDPR-aligned terms, published.
Our privacy notice and data-processing terms are public, not paywalled.
Service commitments
A written SLA, not a promise.
Production availability targets, support response times, and incident management are published.

Found a vulnerability? Email support@taxpoynt.com and we will acknowledge within one business day.

Go deeper

The documents behind
this page.

The full security and compliance overview, the production service level agreement, and our legal terms are published — read them before you sign anything.

Security & compliance docsService level agreementLive platform status
NDPR-aligned · 99.5% production uptime target