Is Your MTD Software Secure? Data Privacy and Security Explained

Is Your MTD Software Secure? Data Privacy and Security Explained

Last updated: 19 February 2026

With Making Tax Digital for Income Tax starting on 6 April 2026 for sole traders and landlords with qualifying income above £50,000, you may be wondering what happens to your financial data once it leaves your spreadsheet or accounting software. It is a reasonable concern — I hear it regularly from clients at Jack Ross.

This guide explains what data HMRC actually receives, how recognised software protects your information, and the practical steps you should take to keep your records secure.

What data does MTD software share with HMRC?

This is the single most common worry I hear: “Can HMRC see everything in my accounts?” The short answer is no.

When your software submits a quarterly update, HMRC receives summary totals only — your total income and total expenses for the quarter, broken into standard categories such as rent, travel, professional fees and office costs. If your annual turnover is below £90,000, you can submit consolidated expenses as a single figure with no category breakdown at all.

HMRC does not receive:

• Individual invoices, receipts or transactions
• Your bank feed data or bank statements
• Details of who paid you or who you paid
• Live or ongoing access to your accounting records

Your software converts your transaction-level data into these summary figures and sends them via HMRC’s secure API. The underlying records stay in your software. You must maintain digital links between your original records and the submitted figures, but those links exist within your own systems — not on HMRC’s servers.

How HMRC-recognised software is vetted

Before any software can connect to HMRC’s MTD systems, the developer must complete a formal recognition process:

1. API testing — developers test all required endpoints in HMRC’s sandbox environment, demonstrating correct submission of quarterly updates and final declarations.
2. Fraud prevention headers — software must transmit specific fraud prevention data with every API call, reviewed by HMRC’s specialist team.
3. Production Approvals Checklist — a detailed checklist covering functionality, security and data handling. HMRC reviews testing logs before granting production access.
4. Ongoing compliance — recognised software must continue meeting HMRC’s minimum functionality standards, with each new feature stage requiring fresh testing.

You can check whether your software appears on HMRC’s official list of recognised software. If it is not on the list, do not use it for MTD submissions.

Cloud security: Xero, QuickBooks, FreeAgent

The three most widely used cloud accounting platforms for UK sole traders and landlords all invest heavily in security. Here is how they compare — and you can explore features in more detail using our software comparison tool.

Encryption (at rest and in transit)

All three platforms encrypt data both in transit and at rest:

• Xero — encrypts all communication between your device and its servers, with data encrypted on secure servers.
• QuickBooks Online — uses 128-bit SSL encryption for data in transit and encrypts stored data at rest. The QuickBooks Online database holds ISO/IEC 27001:2013 certification.
• FreeAgent — uses TLS v1.2 for data in transit and 256-bit AES encryption for stored data, including uploaded files.

Two-factor authentication

Two-factor authentication (2FA), also called multi-factor authentication (MFA), adds a second verification step beyond your password:

• Xero — MFA is mandatory for all users. You can use the Xero Verify app (push notification) or Google Authenticator (six-digit code).
• QuickBooks — supports MFA through verification codes sent to your registered device.
• FreeAgent — offers 2FA and holds Cyber Essentials Plus certification, which independently verifies its security controls.

Data centre locations and backups

FreeAgent stores customer data in Ireland-based data centres (ISO 27001, 27017 and 27018 certified) across multiple availability zones. QuickBooks and Xero use third-party hosting infrastructure including Amazon Web Services, and may store data in the US or other jurisdictions with UK GDPR-adequate safeguards.

All three platforms perform automatic backups across multiple availability zones, so your data is replicated in separate physical locations — a significant advantage over a single laptop or desktop.

GDPR and your MTD data

The UK GDPR and the Data Protection Act 2018 give you specific rights over personal data held by MTD software providers:

• Right of access — request a copy of all personal data your provider holds about you.
• Right to data portability — under Article 20, request your data in a structured, machine-readable format and have it transferred to another provider. Essential if you switch software.
• Right to erasure — request deletion of your data, subject to legal retention requirements (HMRC requires records for at least five years after the 31 January submission deadline).

If you change MTD software mid-year, plan carefully — you need unbroken digital links for the full tax year. Your old provider must supply your data in a portable format on request.

If you use an accountant, the agent authorisation process through HMRC is separate from any data your accountant stores locally. They should have a privacy notice explaining what they hold, why, and for how long.

Bridging software security considerations

Not everyone uses full cloud accounting software for MTD. Bridging software connects spreadsheets to HMRC’s API, letting you continue recording transactions in Excel or Google Sheets while meeting submission requirements.

There are different security considerations with this approach:

• Desktop bridging tools store your connection credentials locally. If your laptop is lost or compromised, those credentials could be exposed. Full-disk encryption and a strong login password mitigate this.
• Spreadsheet data is less protected than data in purpose-built accounting software. Spreadsheets can be accidentally emailed or saved to shared drives, and they lack the audit trails and access controls that cloud platforms provide.
• Fewer automatic security updates — cloud platforms push patches continuously, while desktop bridging tools may require manual updates.

Bridging software is a valid and HMRC-recognised approach, but you need to take more personal responsibility for data security compared to a managed cloud platform.

Practical security steps for MTD users

Regardless of which software you choose, these steps will materially reduce your risk:

1. Enable 2FA on everything — your HMRC Government Gateway, your accounting software, and your email. A compromised email account lets attackers reset passwords elsewhere.
2. Use a unique, strong password for your Government Gateway — HMRC reported over 135,000 suspected scam reports in a recent ten-month period, many targeting Gateway credentials. Do not reuse this password.
3. Review agent authorisations regularly — check who has authority to act on your behalf and remove any you no longer need.
4. Keep software updated — cloud software updates automatically. For desktop or bridging tools, check monthly.
5. Watch for phishing — HMRC will never email you asking you to click a link to claim a refund. Forward suspicious emails to phishing@hmrc.gov.uk.
6. Back up your records — export your data periodically, even with cloud backups. Keep spreadsheet backups encrypted in a separate location.

Worked example

David is a landlord with three rental properties generating £62,000 in gross rental income per year. He needs to comply with MTD from 6 April 2026 as his qualifying income exceeds £50,000.

David was worried about uploading financial data to the cloud. Here is what actually happens when he submits a quarterly update through Xero:

1. David connects his bank accounts to Xero via a read-only bank feed. Xero can see transactions but cannot move money.
2. He categorises his rental income (£15,500 for Q1) and expenses (£4,200 across repairs, insurance, agent fees and mortgage interest).
3. When he submits to HMRC, Xero sends summary totals only: £15,500 income and £4,200 in categorised expenses. The individual transactions stay in Xero.
4. HMRC receives year-to-date cumulative figures. If David spots an error in Q1, he corrects it in a later update.
5. The submission is encrypted in transit via TLS. HMRC authenticates David through his Government Gateway credentials.

At no point does HMRC gain access to David’s Xero account. They receive quarterly summaries, nothing more.

If you are just getting started, our guide on how to register for MTD walks you through the process step by step.

Frequently asked questions

Can HMRC see all my bank transactions through MTD software?

No. MTD software submits summary totals of your income and expenses — not individual transactions. Your bank feed data, invoice details and receipt records remain within your software. HMRC receives only quarterly summary figures and your final declaration at the year end.

What happens to my data if the software company goes bust?

Under UK GDPR, you have the right to data portability. Export your data regularly (most platforms offer CSV or Excel exports) so you always have an independent copy. If a provider ceases trading, administrators typically give customers a notice period to extract data. Your submitted updates are also held by HMRC independently.

Is cloud accounting safer than a spreadsheet on my laptop?

Generally, yes. Cloud platforms offer encryption, automatic backups, mandatory 2FA, continuous security monitoring and regular patching. A spreadsheet is only as secure as your device — if it is lost or infected with malware, your financial data could be exposed. Cloud security still depends on you using a strong password and enabling 2FA.

Do I need to keep paper records as well as digital ones?

MTD requires digital records with digital links from original data through to submitted figures. You are not required to keep paper records. However, I recommend retaining key documents — signed lease agreements, major invoices, mortgage statements — as supporting evidence. HMRC can request underlying records during an enquiry.

Sources

• HMRC — Find software that is compatible with Making Tax Digital for Income Tax
• HMRC Developer Hub — Making Tax Digital for Income Tax service guide
• HMRC Developer Hub — Making updates during the tax year
• HMRC — Phishing and scams: detailed information
• Xero — Data protection
• QuickBooks UK — Data security
• FreeAgent — How FreeAgent keeps your data secure
• ICO — Right to data portability