Trust
Centre

Information Security is no longer a luxury.
It’s a basic necessity.
Trust centre, Trust Centre

Data Protection 24/7, 365 days a year

In the complex world of indirect tax, simplify your world by leaning on our two decades of cross-border expertise and industry-leading technology to maximize both your foreign and domestic VAT refunds without any risks of errors or compliance snags.

Trust centre, Trust Centre

GDPR Compliant

We are GDPR compliant. We also have a data access request policy which ensures that data subjects’ rights are protected and provides them with a mechanism that enables them to know where their data is at all times.

Trust centre, Trust Centre

ISO 27001 Certified

We were the first industry player to have taken compliance to the next level. We are fully ISO 27001:13 certified. This means we abide by the International Standards organisation’s policies of compliance.

Trust centre, Trust Centre

STAR Registry Listing

Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key
principles of transparency, rigorous auditing, and cloud security and privacy best practices.

Trust centre, Trust Centre

Storage and Encryption

All data is encrypted at rest in our database using AES-256 Encryption. Depending on the transmission mechanism data is encrypted in transit using the following mechanisms:

• SSL encryption (HTTPS);
• SSL encryption (SFTP) (should this be chosen by the client as a mechanism for transfer);
• Microsoft SharePoint security controls (should this be chosen by the client as a mechanism for transfer).

Trust centre, Trust Centre

Advanced Logging & Monitoring

Advanced logging and monitoring are used to track every transaction on our system. We ensure that only authorised personnel have access to your data.

Trust Centre

VAT IT is aware of its obligations to protect Personal Information and Client Confidential Information with strict information security safeguards. The following compliance measures set out our commitment to information security and client confidentiality.

VATit Processing Centre is ISO 27001:2022 certified. ISO 27001 is the leading international standard focused on information security. The International Organisation for Standardisation, together with the International Electrotechnical Commission (IEC), develops and publishes voluntary standards, some of which can be certified against. The certification was issued by an accredited independent third party after the successful completion of a formal audit process. A copy of the latest certificate can be found here.

Cloud Security Alliance STAR Registry

The Security, Trust, Assurance and Risk (STAR) registry was founded in 2013 by the Cloud Security Alliance (CSA) and encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices. Level 1 consists out of a security self-assessment based on the Cloud Controls Matrix to evaluate and document their relevant security controls.

VAT IT has submitted the Consensus Assessments Initiative Questionnaire (CAIQ) to document its compliance with the Cloud Controls Matrix. VAT IT has obtained its STAR Level 1 and the questionnaire can be downloaded from the CSA Registry here.

EU General Data Protection Regulation Compliance

VAT IT ensures strict compliance with the EU General Data Protection Regulation (GDPR) since VAT IT operates globally, as well as in the EU, it therefore commits itself to complying with applicable data protection laws, including the EU GDPR. More information regarding our compliance with the EU GDPR can be found here.

External data centres compliance.

VAT IT only uses data centres and IaaS suppliers who can show a strict commitment and adherence to privacy and information security:

Amazon Web Services – AWS provides a high level of commitment with a vast array of certifications/attestations to corroborate to this, including ISO 9001, ISO 22301, ISO 27001, ISO 27017, ISO 27701, ISO 27018, PCI DSS Level 1, SOC 1, SOC 2, and SOC 3. AWS’s extensive certifications, attestations and compliance framework can be accessed here.

Teraco Data Environment - Teraco ensures that it can meet a variety of compliance and information security standards, and implements strict controls to meet industry standards, and its certifications/attestations include: PCI DSS, ISO 27001, ISO 9001, ISO 14001, ISO 50001, and ISAE 3402 Type 2. Teraco’s certifications and attestations can be accessed here.

Microsoft Azure – Azure is vehemently committed to trust, transparency, standard conformance, and regulatory compliance, with the following certifications/attestations: ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP, HITRUST, MTCS, IRAP and ENS. Microsoft Azure’s certifications and compliance documents can be accessed here.

It is also important to note that VAT IT servers are hosted on Microsoft Azure, which are located in the EU.

VAT IT is ISO 27001 certified and all systems are built and developed on the premise of ensuring confidentiality, integrity and availability of information. VAT IT clearly demonstrates the ability to comply with statutory, regulatory and contractual requirements, with top management’s express commitment to upholding the standards of confidentiality, integrity and availability. In line with our commitment to information security and data protection, VAT IT has developed a list of information security policies as well as an array of security features that are implemented to ensure client information is kept safe.

SECURITY MEASURES IMPLEMENTED

The following measures are implemented for all customers, regardless of the scope and location of the services to be provided

Device and network security

VAT IT commits itself to the following device and network security:

  • We use industry standard network protection procedures including segregation using VLANs and router technologies, intrusion detection and prevention systems, centralized log aggregation and alert mechanisms.
  • All devices are securely configured and have real-time anti-virus, anti-malware, and anti-spyware installed and are password protected.
  • Data is stored behind appropriately configured firewalls.
  • Endpoint security is enabled on all devices.
  • Employees are provided access to client information on the principle of least privilege and only after the relevant manager has authorised such access.
  • Password complexity is enforced and is contained within our Password Protection Policy. Passwords are required to be changed every 60 days.
  • Single Sign On with two-factor authentication is implemented for access to VAT IT systems.
  • Auditable records/logs of user activity in our core system is maintained. All employees who work remotely are required to use a VPN.

Security training

All employees undergo security training on induction and at least annually thereafter on our e-learning platform, which ensures that an audit trail can be left and that attendance can be monitored. Security training includes topics related to information security, ISO 27001, data privacy, GDPR and relevant HR-related materials. Mock phishing scams are conducted by our IT department as part of our awareness training.

Employees

All employees undergo credit and criminal checks (subject to local laws) before their employment with VAT IT, or shortly thereafter. Employees are also required to sign indefinite confidentiality/non-disclosure agreements before access is provided to any of our systems. We have a formal on-boarding and off-boarding system that also caters for changes in employment status/ job roles and ensures the effective off-boarding of employees (including access revocation and return of assets) after termination of their employment.

Physical security

VAT IT offices are protected with 24/7 staffed security personnel, 24/7 CCTV monitoring, and card-controlled access that is based on job descriptions. Fully redundant backup power systems are provided.

Encryption

All data is encrypted at rest using AES 256. Data in transit is encrypted using TLS 1.2, HTTPS, or AES 256. Data transfer mechanisms are chosen by each client and can include anything from setting up an SFTP or integration into their relevant expense management tools. Information is transferred internally using SharePoint and has all associated security controls implemented automatically, including encryption using AES 256 standard. Employees are required to synchronize their devices to OneDrive to ensure that our IT Department can have central control as part of our governance program.

Backups

Full backups are conducted daily and are stored encrypted in an environment that is physically separated from the primary servers to ensure fault tolerance. External data centres feature physical security and safety measures, including fully redundant power backup systems, physical access controls, biometric and/or card-controlled access systems, extensive seismic bracing, early detection smoke and fire alarms, and digital surveillance systems.

Audits / testing

Internal audits are conducted at a minimum annually. VAT IT undergoes third party independent audits as part of its ISO 27001 certification program. Penetration tests are conducted annually by independent third parties, and we undertake to remediate all, and any vulnerabilities outlined within 90 days thereafter.

Patch management

Ongoing internal network security audits and scanning gives us an overview for quick identification of impacted systems and services. We have a Patch Management Policy which ensures that operating systems and software used in our infrastructure are updated to the latest versions on a regular basis. If there is a patch available, we are informed automatically to ensure that our systems are continually kept up to date. Our IT department will also log on every 30 days to see whether there is a patch to install to ensure that nothing is missed.

Vulnerability Management

Vulnerability scans occur in line with our Vulnerability Management Policy. Whenever a vulnerability in a product we use, or a high or critical vulnerability is publicly reported, prompt actions are taken to mitigate any potential risks for our clients — we apply hotfixes and patches promptly when available and/or implement pro- active mechanisms like configuration of firewalls or IDS/IPS. Endpoint vulnerability scans are conducted automatically on a continuous basis. Vulnerability scans on internal and external networks are conducted at minimum quarterly or after significant changes occur to the network. Open source and dependency scans occur with every code change to software applications. Static code analysis occurs for every code change implemented. Further to this, automatic periodic scans occur on all projects that are not experiencing active changes.

Asset management

An inventory of software applications, physical devices and systems are maintained. We use Microsoft Intune as a cloud-based endpoint management solution in order to regulate our device management.

For a more detailed description of the security measures implemented by VAT IT and its compliance with the Cloud Control Matrix as listed by Cloud Security Alliance (CSA), please see the self-assessment submitted by VAT IT and our STAR level 1 listing on the CSA Registry here.

VAT IT adopts a privacy-conscious culture and commits itself to the principles inherent in the General Data Protection Regulation (“GDPR”), namely those dealing with transparency, lawfulness, fairness, purpose limitation, accuracy, storage limitation, integrity, and accountability. Thus, VAT IT is aware of its obligations towards its clients and the protection of personal data.

VAT IT acts as the Data Processor in relation to the clients’ data, and our Clients act as Data Controllers. As part of the obligations as Data Processor under the GDPR, and any other applicable data protection laws, VAT IT declares that it is at all times compliant with these applicable legal requirements when providing services to the clients. VAT IT declares that it shall comply with the following provisions in the course of providing services to the clients:

1. Personal data shared by the clients shall be processed only in accordance with the clients’ instructions. VAT IT only collects and use personal data as provided by the clients and insofar as it is necessary to provide the agreed upon services. VAT IT also only processes limited personal data as provided by the clients, does not collect personal data from any third parties (with the limited exception of our integration with our clients’ expense management tools at the sole discretion and with the consent of our clients) and does not process any special category data.

2. Personal data shall not be transferred across borders to third countries (Non-EU Countries) without the clients’ prior written consent. In the case where personal data is transferred to third countries, it will be done in line with the applicable data protections laws (Articles 44 to 50 of the GDPR) and the necessary precautionary safeguards shall be taken. Any mandatory transfer mechanisms, including Standard Contractual Clauses, shall be put in place before any third country transfer.

3. VAT IT shall only provide access to such personal data to its employees as is required in order for them to complete their work and to provide the agreed upon services to the client.

4. VAT IT will only subcontract with the necessary prior written consent of the clients, or general written authorisation from the client, and it shall be ensured that the subcontractor(s) signs a contract containing equivalent security and safety provisions to meet GDPR requirements.

5. The necessary technical and organisational security measures will be implemented to safeguard personal data against accidental or unlawful destruction, or accident loss, alteration, unauthorised access, theft, disclosure, and all other unlawful forms of processing.

6. The client will promptly be notified of:

a. Any security breach (actual or threatened) that affects personal data and VAT IT will assist with any subsequent investigation, mitigation, and remediation;

b. Any Data Subject access request received from an individual regarding their Personal Data, prior to responding to that request;

c. Any legally binding request for disclosure of the personal data by a regulatory or enforcement authority, unless such notification to the client is expressly prohibited under the relevant regulation or order.

7. At the date of cessation of any Services involving the processing of personal data, at the election of the client, VAT IT shall return and/or delete and procure the deletion of all copies of personal data. VAT IT may retain personal data to the extent required by applicable laws.

8. All relevant information will be made available regarding data processing activities to the clients and regulatory authorities where required to show compliance.

9. VAT IT will allow the client or its independent auditor access to the data processing facilities to carry out an audit at the client’s request, upon reasonable written notice of such an audit.

10. VAT IT will provide full assistance to the clients in conducting privacy and data protection impact assessments, and related consultations with the relevant data protection authorities.

If there are any queries or requests for further information in relation to the topics raised in here, kindly contact dataprotection@vatit.com for further assistance and clarity.

Last Reviewed on: 1 June 2023

1. What data does VAT IT Collect?

In the Client’s use of the Services, VAT IT may collect and store the following Client Information:

  • Personal Information relating to a Client’s employees; and/or;
  • Information relating to the Client’s organization and business;
  • Information in respect of each invoice. Such information includes, but is not necessarily limited to: the country of expense; the date of the expense; the value; the expense type; the currency; the billing address; the supplier information (if available); scan or image of the invoice; and the details of the traveller, this could include the traveller’s name and/or allocated reference number.

2. How does VAT IT Collect Data?

  • VAT IT does not collect any personal data from any third parties (with the limited exception of our integration with our clients’ expenses management tools at the sole discretion and with the consent of our clients), and only collects personal data as is provided by the Client and with their consent in one of the following ways:
    • Through integrating with one of the Client’s expense management tools;
    • Email;
    • Physically sent invoices/expenses to VAT IT offices;
    • SharePoint shares;
    • SFTP arranged and requested by the Client;
    • Any other way arranged between the Client and VAT IT.

3. How will VAT IT use Client Data?

  • In providing the agreed upon services, VAT IT acts as Data Processor and the Client acts as Data Controller, and have the corresponding obligations as set out in the relevant law.
  • Under no circumstances will VAT IT sell Client Information (including “sell” as is defined by the CCPA).
  • VAT IT will use, disclose and share the Client Information only as follows:
    • To provide VAT and/or Tax reclaim, or any other agreed upon Services;
    • By disclosing Client Information to third party sub-processors appointed by VAT IT in order to enable VAT IT to provide the Services, and who are bound by the same or similar privacy restrictions. VAT IT shall ensure that any sub-processor used in the provision of any services on behalf of VAT IT will:
        1. Only use the Personal Data to assist VAT IT in providing, maintaining or improving the Services VAT IT provides to its Clients;
        2. Provide at least the same level of protection of Personal Data as is required of VAT IT;
        3. Will notify VAT IT if it can no longer provide the required protections.
    • In order to submit any VAT and/or Tax reclaims to the relevant VAT and/or Tax Authorities.
    • VAT IT may disclose Personal Information to law enforcement, other government officials, or other third parties as VAT IT, in its sole discretion, believe necessary or appropriate in connection with an investigation of fraud, intellectual property infringements, or other activity that is illegal or may expose it to legal liability, or in connection with a merger, consolidation, or sale of its assets. VAT IT shall notify the affected clients of such disclosure, unless notification is prohibited by any applicable laws, regulations, or orders.
    • By agreeing to this privacy policy, you consent to receiving Marketing communications from time to time.

4. How does VAT IT store Client information?

  • VAT IT ensures the safety and security of all information stored. Information is encrypted at rest and in transit.
  • VAT IT will store information in line with our Retention, Destruction, Deletion and Decommissioning Policy. Information will only be stored for as long as is required to provide the relevant services to our clients, and for as long as is required by applicable laws, and will continue to implement the same technical and organisational measures during such retention period.
  • After the retention period, VAT IT will, at the choice of the Client, either return the Client Information, or delete such information and certify to the client that the information has been destroyed.

5. Security

VAT IT shall take reasonable technical, administrative and physical steps to protect against unauthorised access to and disclosure of Client Information.

More information regarding VAT IT’s Security measures can be found here.

6. Comments And Questions

7. Data Subject Rights

  • As far as the EU and UK GDPR is applicable, Data Subjects have certain rights in terms of applicable Data Protection Laws. A request to enforce any rights must be made to the relevant Client, who acts as Data Controller of the Personal Data. VAT IT will endeavour to assist the Client with any request made by a Data Subject, or inform the Client and direct any such requests from Data Subjects to the Client.
  • Data Subjects have the following rights:
    • Right to access;
    • Right to rectification;
    • Right to erasure;
    • Right to restrict the processing;
    • Right to object to the processing;
    • Right to data portability.

8. Policy Compliance

  • The Technology Department shall verify compliance with this Policy through various methods, including, but not limited to, audits.
  • Any exceptions to this Policy must be approved, in writing, by the CTO/Head of Technology.
  • Any Employee found to have violated this Policy may be subject to disciplinary action.
  • It is the Employee’s responsibility to stay compliant with this Policy and the amendments from time to time.

9. Amendments

  • This Policy may be amended by VAT IT from time to time.
  • This version of the Policy replaces any previous version hereof.

Last Reviewed on: 1 June 2023

VAT IT is committed to complying with regulatory obligations across the globe, considering its international client base. This commitment is to meet the requirements of many Data Protection Laws, including, but not limited to, the following:

California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)

Consumer Rights

As far as the CCPA is applicable, Consumers have certain rights in terms of applicable Data Protection Laws. A request to enforce any rights must be made to VAT IT’s relevant Client, who acts as the Business in terms of Personal Information. VAT IT acts as a Service Provider, as defined in the CCPA. VAT IT will endeavour to assist the Client with any request made by a Consumer, or inform the Client and direct any such requests from the Consumer to the Client.

Consumers have the following rights in terms of the CCPA:

  1. Consumer’s right to delete personal information
  2. Consumer’s right to Correct Inaccurate Personal
  3. Consumer’s right to know what personal information is being collected (right to access personal information)
  4. Consumer’s right to know what personal information is sold or shared, and to whom
  5. Consumer’s right to opt out of sale or sharing of personal information
  6. Consumer’s right to limit use and disclosure of sensitive personal information
  7. Consumer’s right of no retaliation following opt out or exercise of other rights

A consumer may submit a request to exercise any of the above rights to confidentialitynotice@vatit.com and / or dataprotection@vatit.com.

Any personal information that is collected from the Consumer in order for VAT IT to verify the consumer’s request will solely be for the purposes of verification, and we will only disclose it to our Client who acts as the Business in order for it to assist the Consumer in fulfilling the request. It will not be retained for longer than is necessary for the purpose of verification, nor will VAT IT use it for an unrelated purpose.

The following categories of personal information can be collected by VAT IT:

Categories of personal information Categories relevant to VAT IT Sources from which it is collected Business or commercial purposes for collection Categories of third parties to whom the business discloses personal information
Identifiers

Name, Unique personal identifier, online identifier, IP address, account name, social security number From the consumer’s employer who acts as our client

From the consumer’s use on our website

In order to provide the relevant services to our clients, the Business(es)

For analytical purposes and to service the Consumer and/or to personalise the Consumer’s experience on our website

To respond to any inquiries and provide customer support

We disclose information to our service providers (sub-processors) who are required to assist us in providing our services to our clients

The relevant Tax and/or VAT Authority where the reclaim was submitted

To different internal branches/entities within the same Group in order to assist in providing the relevant services

Customer records information

We do not collect this type of information
Characteristics of protected classifications under California or federal law

We do not collect this type of information
Commercial information

We do not collect this type of information
Biometric information

We do not collect this type of information
Internet or other electronic network activity information

We collect a consumer’s information regarding their interaction with our website and/or VAT Cloud From the consumer’s use on our website and/or VAT Cloud For analytical purposes and to service the Consumer and/or to personalise the Consumer’s experience on our website We only disclose information to our service providers (sub-processors) who are required to assist us in providing our services to our clients

To different internal branches/entities within the same Group in order to assist in providing the relevant services

Geolocation data As part of our cookies policy and your usage of our website we might collect geolocation data in the form of your country location From the consumer’s use on our website and/or VAT Cloud For analytical purposes and to service the Consumer and/or to personalise the Consumer’s experience on our website We only disclose information to our service providers (sub-processors) who are required to assist us in providing our services to our clients

To different internal branches/entities within the same Group in order to assist in providing the relevant services

Audio, electronic, visual, thermal, olfactory, or similar information We do not collect this type of information
Professional or employment-related information The relevant consumer’s role in our client’s company might be contained within the contract that is signed or used as a way to authenticate their authority From the consumer’s employer who acts as our client, or from the Consumer directly entering this information on behalf of the client In order to provide the relevant services to our clients, the Business(es) and to authenticate the Consumer for legal and/or audit purposes

We only disclose information to our service providers (sub-processors) who are required to assist us in providing our services to our clients

The relevant Tax and/or VAT Authority where the reclaim was submitted

To different internal branches/entities within the same Group in order to assist in providing the relevant services

Education information We do not collect this type of information
Inferences We do not collect this type of information

VAT IT will never share consumer information with third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration, or for the benefit in which no money is exchanged.

VAT IT will never sell a consumer’s information to a third party for monetary or other valuable consideration.

Modern slavery statement for fiscal year 2023/24

1. Introduction

1.1. This statement is made pursuant to s.54 of the Modern Slavery Act 2015 and sets out the steps that VATit Group Limited has taken and is continuing to take to ensure that modern slavery or human trafficking is not taking place within our business or supply chain.

1.2. Modern slavery encompasses slavery, servitude, human trafficking and forced labour.

VATit Group Limited and its subsidiaries (“VAT IT Group” or “Group”), have a zero- tolerance approach to any form of modern slavery. We are committed to acting ethically and with integrity and transparency in all business dealings and to putting effective systems and controls in place to safeguard against any form of modern slavery taking place within the business or our supply chain.

2. Our business

The VAT IT Group operates a platform that provides cross-border VAT and tax recovery services which assists clients to reclaim VAT, withholding taxes and other indirect taxes which they are eligible to reclaim. VAT IT also supports clients in ensuring VAT registration and filing compliance requirements are met. In addition, the Group also provides Importer of Record ('IOR') services for companies which ship technology and medical equipment abroad, as well as global trade compliance services for any e-commerce business. The VAT IT Group serves over 13,000 clients in more than one hundred countries worldwide. These range from small and medium-sized enterprises to large multinational corporations, across a wide range of sectors.

3. Our high-risk areas and supply chain

We do not believe that we have elevated risk areas as our main supplier is VATit Processing (Pty) Ltd, which is a subsidiary company. VATit Processing (Pty) Ltd drives compliance within our association. As mentioned above we have a zero-tolerance approach to any form of modern slavery. Applicable employment laws are adhered to and enforced. Other suppliers which we utilize are either professional organisations or reputable suppliers within their industries and therefore to sustain their reputations, strictly adhere to compliance requirements.

4. Our policies

4.1. We operate various internal policies to ensure that we are conducting business in an ethical and transparent manner. These include:

4.1.1. Whistleblowing policy: We have a whistleblowing policy so that all employees know that they can raise concerns about how colleagues are being treated, or practices within our business or supply chain, without fear of reprisals.

4.1.2. Code of business conduct: This code explains the way we behave as an organisation and how we expect our employees to act.

5. Our performance indicators

5.1. We will know the effectiveness of the steps that we are taking to ensure that slavery and/or human trafficking is not taking place within our business or supply chain if:

5.1.1. No reports are received from employees, the public, or law enforcement agencies to indicate that modern slavery practices have been identified.

6. Approval for this statement

This statement was approved by the Board of Directors on 17 May 2023.

Please contact us here if you want to request a copy of the official, signed version of this statement.

Executive Summary

The VAT IT Group recognizes that its activities have the potential for both positive and negative impacts upon the environment at local, national and global levels.

VAT IT acknowledges its responsibility for environmental protection and also aims to contribute to the national commitment to sustainable development and to all official sector-based carbon reduction targets.

The positive environmental sustainability aspects of research and teaching and learning will be promoted. VAT IT will seek to achieve continual improvement in how it understands and responds to its environmental impacts.

VAT IT commits itself to:

1. Communicate its environmental policy and strategy to staff, clients and other stakeholders and to raise awareness amongst these groups of their own environmental responsibilities and requirement to commit to environmental improvements;

2. Comply fully and where possible exceed standards set in relevant UK, EU and international regulatory requirements and agreements;

3. Reduce its carbon footprint through prudent use of fossil fuels (through energy conservation, management and efficiency within buildings) and to switch to low-carbon fuel alternatives where possible;

4. Manage and reduce water consumption;

5. Deliver a travel plan to reduce single occupancy vehicle use to our sites; implement measures to encourage walking, cycling and the use of public transport as principal modes of commuting and business travel for staff, students and visitors;

6. Reduce waste created and where possible to reuse and recycle before responsible disposal of surplus materials; to use recycled and recyclable materials wherever possible;

7. Protect natural habitats and encourage local wildlife and biological diversity of VAT IT’s managed land;

8. Integrate principles of environmental sustainability within all VAT IT policies and practices, specifically to those relating to procurement of goods and services;

9. Refurbish and develop all VAT IT land in a manner that avoids negative environmental impacts and enhances the local environment;

10. Avoid or limit wherever practical the use of environmentally-damaging substances, materials and processes;

11. Work with local, regional and national partners to realize environmental projects;

12. Develop Environmental Management Systems Progress on implementing all areas of the policy, will be reviewed annually by the VAT IT Environmental Management Working Group and Sustainable Travel Implementation Group. The policy itself is subject to annual review.