About Tax Compliance Agent
Tax Compliance Agent (TCA) is a Dubai-based fintech building e-invoicing infrastructure for the UAE market. Their platform sits at the centre of one of the most significant regulatory shifts the region has seen in recent years: the UAE government’s mandate that all businesses above a certain revenue threshold must issue, transmit, and store invoices electronically through approved channels, starting January 2027.
The Federal Tax Authority is not building this infrastructure itself. Instead, it has created an Accredited Service Provider (ASP) programme. Approved third parties build and operate the e-invoicing stack and sell access to businesses across the country. TCA is one of those providers. Every invoice a TCA customer sends flows through their infrastructure before it is legally valid under UAE law.
TCA’s product handles the full technical chain the FTA requires: invoice generation in the structured XML format mandated by the government, transmission through the PEPPOL network, real-time tax data reporting to the FTA, and long-term secure invoice storage. They are building specifically for the segment of the market that cannot afford the large enterprise ASP solutions, the small and mid-sized businesses that represent the majority of companies operating in the UAE.
The challenge: a security review was blocking market entry
Becoming an FTA-registered ASP is not just a product evaluation. It is a security evaluation. An ASP handles tax data for potentially thousands of businesses, reports that data to the government in real time, and is required to store it securely for a minimum of five years. Every transaction that flows through an ASP is a regulated financial record. The FTA reviews whether a prospective ASP can be trusted with that responsibility before granting them the right to operate.
When TCA went through the FTA certification process in early 2026, the review flagged two gaps. Their API infrastructure needed active security protection in place. And they needed to produce and submit formal security documentation that met the FTA’s standard. Without both, TCA could not receive ASP certification and could not legally operate in the market they had built for.
“We were in the middle of our FTA application when the security review came back with gaps. We needed someone who could move fast and actually understand what regulators are looking for. Osto got us across the line.”
Kanishk Garg, Founder, Tax Compliance Agent
TCA came to Osto in January 2026 with two concrete requirements: get the right security infrastructure deployed, and get the documentation ready for submission. Both needed to happen before the certification review could proceed.
About Osto
Osto is a unified security and compliance platform built for startups and growth-stage companies. The core premise is that a seed-stage or early-growth company deserves enterprise-grade security infrastructure without the enterprise overhead, without a dedicated in-house security team, and without the months-long implementation cycles that large vendors require.
Osto bundles the security modules that companies in regulated markets need, WAF, CSPM, endpoint protection, VAPT, SOC 2, ISO 27001, and security questionnaire response, into a single platform that deploys in days. For companies like TCA, this means the security program that would otherwise require months of procurement, implementation, and vendor management can be operational before a regulatory deadline arrives.
The solution: infrastructure deployed, documentation produced, certification cleared
Osto addressed TCA’s two certification blockers in parallel.
A WAF sits in front of an application’s API layer and inspects every incoming request before it reaches the application. It blocks known attack patterns, malicious payloads, and exploit attempts in real time, without any changes to the underlying application code. For TCA, whose platform receives structured financial invoice data through APIs, a WAF addressed the FTA’s requirement for active API security protection. Attackers targeting invoice infrastructure can attempt SQL injection, credential stuffing, and API abuse to access financial records. The WAF is the first line of defense that stops those attempts before they reach the data.
CSPM continuously scans a company’s cloud environment and flags misconfigurations that create security risk: storage buckets left publicly accessible, overly permissive access controls, unencrypted databases, missing logging. For a small team building quickly in the cloud, misconfigurations are common and often invisible until they cause a problem. For TCA, operating infrastructure that stores regulated tax data, a misconfiguration that exposed invoice records would be a significant regulatory event. CSPM means those issues are caught and remediated continuously, not discovered during an audit or after a breach.
Alongside the infrastructure deployment, Osto produced the formal security documentation the FTA required: policies, controls evidence, and the structured materials the government assessors needed to see to verify that TCA’s security program met the ASP certification standard.
With both gaps addressed, TCA submitted to the FTA review and passed. They received ASP certification and launched as a registered e-invoicing provider in the UAE.
Results
FTA certified. TCA received ASP approval and is now legally operating as an e-invoicing provider in the UAE. The certification block that was preventing market entry was resolved.
Active security infrastructure in place. WAF protecting the API layer, CSPM providing continuous cloud posture visibility. Both running before TCA’s first paying customer was onboarded.
Security program expanding with the business. The engagement started small and is tracking toward a significantly larger footprint as TCA’s compliance requirements grow with their customer base.
What comes next
FTA certification was the condition for launch. As TCA grows its customer base and the volume of financial data flowing through its platform increases, the security and compliance expectations from enterprise customers, auditors, and regulators will grow with it.
| Phase | What was done |
|---|---|
| Phase 1 · Complete | Web and cloud security. WAF deployed for application and API protection, CSPM for continuous cloud visibility, and formal security documentation produced and submitted to the FTA. |
| Phase 2 · In progress | VAPT and source code assessment. A full security assessment of TCA’s application, APIs, and codebase to identify and remediate vulnerabilities. |
| Phase 3 · Planned | SOC 2 audit and ISO 27001 certification. As the business grows and enterprise customers come in, the formal compliance certifications that B2B buyers require. |
| Phase 4 · Planned | Security questionnaire response. Respond to any enterprise vendor security questionnaire in minutes, without pulling the team away from product. |
“Security is not a one-time thing for us. As we grow the customer base, the requirements grow with us. Having Osto as the partner running this means we can stay focused on the product.”
Kanishk Garg, Founder, Tax Compliance Agent
The engagement started with a single, time-sensitive problem. What it has become is a security program designed to grow with the business across multiple phases, from launch certification to enterprise-grade compliance. That is the pattern Osto is built for: starting where the company is and building toward where it needs to go.
Osto helps companies who need to move fast without getting security wrong.
If you are building in payments, e-invoicing, lending, or any space where financial data and regulatory requirements come with the territory, the security review will come. The question is whether your program is ready when it does, or whether it becomes the thing that delays your launch.
We work with early-stage and growth-stage teams to deploy the right infrastructure, produce the right documentation, and build the security program that keeps pace as the business grows. No in-house security team required.
Tax Compliance Agent (TCA)
Dubai, UAE
e-Invoicing and Tax Technology
API security gaps and missing documentation blocking FTA ASP certification
WAF, CSPM, Security documentation, Web and API assessment (in progress), SOC 2 and ISO 27001 (planned), Security questionnaire response (planned)
FTA certified. Operating as a registered ASP in the UAE.