Terms of use
Share the terms of use with your colleagues.
Review the questions we ask when you request production access
The terms of use explain what we expect from you when creating and operating software services that use HMRC APIs hosted on the HMRC Developer Hub.
You will be asked these questions when you apply for production access. You must make sure that your software conforms to our terms of use.
HMRC staff will review your responses and information is kept private.
The terms of use is not a legal relationship between HMRC and any software developer.
We reserve the right to remove your access to the Developer Hub and its APIs temporarily or permanently.
You have 6 months to complete your request for production credentials. After that, your progress is deleted and you will need to start again.
About your organisation
| Question | Notes |
|---|---|
| Provide details for a responsible individual in your organisation. |
The responsible individual:
|
| What is your organisation’s URL? | For example https://example.com. |
| Provide evidence that your organisation is officially registered. |
If you are in the UK, you can identify yourself or your organisation using your:
Or you can use your company registration number given to you by Companies House. If your organisation is outside the UK, we’ll need evidence that your organisation is officially registered in your country. |
| Question | Notes |
|---|---|
| Do you use HMRC logos in your software, marketing or website? | We will check if you are using HMRC logos in your software, marketing or website. |
| Do adverts in your software comply with UK standards? |
Advertising that appears in your software (including third party advertising) must follow: |
| Do you advertise your software as ‘HMRC recognised’? | Only use ‘HMRC recognised’ when advertising your software. Do not use terms like ‘accredited’ or ‘approved’. |
| Do you get your customers’ consent before sharing their personal data for marketing? | You must not share customers’ personal data without their consent. Read the Direct Marketing Guidance from the Information Commissioner’s Office. |
About your processes
| Question | Notes |
|---|---|
| Do your development practices follow our guidance? | You must develop your software following our development practices. |
| Does your error handling meet our specification? | We will check for evidence that you comply with our error handling specification. |
| Does your software meet accessibility standards? | Web-based software must meet level AA of the Web Content Accessibility Guidelines (WCAG). Desktop software should follow equivalent offline standards. |
| Question | Notes |
|---|---|
| Do you provide a way for your customers or third parties to tell you about a security risk or incident? | We expect you to provide an easy contact method in the case of a security breach. |
| Do you have a process for notifying HMRC in the case of a security breach? | Any issues concerning the security of customer data must be reported immediately to HMRC. You must also notify the ICO about personal data breaches within 72 hours of becoming aware of it. |
About your software
| Question | Notes |
|---|---|
| Do you comply with the UK General Data Protection Regulation (UK GDPR)? | To be UK GDPR compliant you must keep customer data safe. This includes telling customers:
|
| Do you encrypt all customer data that you handle? | You must encrypt access tokens and personally identifiable data when it is stored and in transit. Read the UK GDPR guidelines on encryption. |
| Do you ensure that each customer’s data cannot be accessed by unauthorised users? | Read the National Cyber Security Centre’s guidance on keeping user data separate and best practice for username and password security. |
| Do you have access control for employees using customer data? | Using a personnel security policy and Role Based Access Control (RBAC) will ensure that employees can only access data essential to their job role. Read the National Cyber Security Centre’s guidance. |
| Can customers get their data from your software if they switch providers? | You must allow customers to change, export or delete their data if they want to. Read the UK GDPR guidelines on individuals rights. |
| Do you store your customers’ HMRC sign in details? | Implementing OAuth 2.0 means there is no need to store HMRC sign in details. |
Software security
If you provide software as a service (Saas), we will ask you these questions about your software security.
| Question | Notes |
|---|---|
| Has your application passed software penetration testing? | Use either penetration test tools or an independent third party supplier. For penetration testing methodologies read the National Cyber Security Centre Penetration Guide. |
| Do you audit security controls to ensure you comply with data protection law? | Assess your compliance using the ICO information security checklist. |
Fraud prevention data
If you use VAT (MTD) or Income Tax Self Assessment (MTD) APIs, we will ask you these questions about fraud prevention data.
| Question | Notes |
|---|---|
| Does your software submit fraud prevention data? | You must submit header data in line with the fraud prevention specification. |
| Have you checked that your software submits fraud prevention data correctly? | Before you submit any header data, you need to use the Test Fraud Prevention Headers API. |
| Question | Notes |
|---|---|
| Where are your servers that process customer information? | For cloud software, check the server location with your cloud provider. |
| Do you have a privacy policy URL for your software? | You need a privacy policy covering the software you request production credentials for. |
| Do you have a terms and conditions URL for your software? | You need terms and conditions covering the software you request production credentials for. |