Frequently Asked Questions

General
What is the name of the software? DAC6pro
What is the (main) purpose of the software? To become compliant with MDR / DAC6 regulations
Which company is the vendor of this software? TaxModel International
Is the software / application offered for on premise use or as Software as a Service (SaaS)?
(in case it is offered both ways please fill out a seperate questionaire for each of these options)
DAC6pro is offered as an SaaS product
Is a licence for a test environment (2nd environment for test purpose only) required and included? Not required and not included in license
Basic application architecture? (2-tier / 3-tier) 3-Tier
What kind of Client-SW?
– Zero client – web browser with or without standard plug-ins
– Thin client – web browser with specific plug-in or only UI at client,
– Thick client – UI and business logic at client
Zero client
Are tools for report design, generation and delivery included?
If yes and these are 3rd party software: Which one?
n.a.
Interface to Microsoft Active Directory for account / user data available?
Included or optional?
Supported, included in the basic licence. Federated Login
Interface to SAP HR for organisation structure and personnel data available?
Included or optional or not applicable?
Not applicable
Individual extension of the software supported?
(API, user exit, …, or no)
Federated Login
Interfaces for data (metadata) and/or document (file) upload available? Supported standard software, data types and/or formats? Standard interface for *.xlst import
Interfaces for data (metadata) and/or document (file) download available? Supported standard software, data types and/or formats? Currently DAC6pro supports .xlst and .xml exports
What type of corporate data/information is this system going to process/storage? The system will store and process any type of legal data, tax relevant data, audit trails, address data, data on individuals (internal / external)
Is the data stored sensitive / confidential? (Customer or <company name> data that in case of data leakage can cause financial impact, loss of customer contracts, legal issues, operating costs, etc.) Yes
Are you currently planning an implementation for Luxembourg? DAC6pro will be prepared to be able to report in any country. As soon as Luxembourg publishes the (technical) guidelines on what requirements the actual reporting should have, we will incorporate that in DAC6pro, in order for you to file. At the moment the Luxembourg did not publish such guidelines yet.
Pricing/Services
What is the price for DAC6pro per year (implementation and license)? How many users/assessments are included in such price? Per country depending on size
What are the additional services and their costs (if not included in the price above) related to the tool that you offer? (eg. training, technical support, help-desk) Training, and helpdesk & technical support.
Training – € 1,600/day (per groups of max 25 trainees)  Helpdesk & technical support – € 150 p/mnth per country
Reporting
Is the tool available both in local languages and English (if reporting has to be done in the local language)? Yes, XML will be English as required by EU
I don’t have any reportable arrangements, why would I need a system like DAC6pro? Whether you have reportable arrangements or not, during MDR audit, your administration must conclude that you’ve assessed every arrangement. DAC6pro provides you, your own cloud environment where you can store all your (or clients) arrangements.
Does the functionality of DAC6pro cover all the below:
Identification and monitoring of reportable arrangements Yes
Assessment of the arrangements from the EU local laws perspective Yes, the tool will provide suggested answers / conclusions.
The user will need to make the assessment, based on the knowledge base in the tool or any outside source
Identification of party responsible for reporting Yes
Reporting to local tax authorities Yes
Update of the assessment and up-date reporting Yes
Is customization of the tool possible? If so what are the terms of such customization (price, mode etc.)? Customization is possible in the sense of white labeling, dashboarding, customizing reports etc.
Not with regard to so-called happy path / core workings of the tool.
How are different jurisdictions integrated in DAC6pro? Is it possible to access registered/reported arrangements in other jurisdictions? Regulation through XML schemes by EU member state. As for access this is only possible for arrangements that are set-up within DAC6pro
What specific functionality (if any) does your tool have comparing to the other MDR tools on the market? 100% alignment with XML schemes – most beautiful UX – 100% price transparency. We will be amongst the first ones to be able to report in XML
In what ways can data be put in? Manual / Excel import / upload files as audit trail
Can I import arrangements in bulk? Yes, you can import arrangements from .xlsx files
Does it keep track also of transactions which are assessed as non-reportable? Yes, audit trail is in tool
Does DAC6pro include a decision tree to assess arrangements? Yes
Does DAC6pro allow to draft information for submission in a format required for submission to the local authorities? Yes, XML format only
Does DAC6pro allow for automatic reporting to the relevant authorities (compliant .xml files)? Yes
Does DAC6pro allow single reporting or does DAC6pro also allow for reporting in batches? Both
Does DAC6pro allow for uploading of files? How are files stored? Yes
Content
Is the content of DAC6pro country-specific to all EU countries?
Does it contain explanations, guidance, interpretations of local laws?
The experience never changes per country.
Per country, the tool contains explanations, guidance, interpretations of local laws
How often are updates made to the tool? Is each update made free of charge? Each update is free of charge.
Updates will be made ongoing, especially now that the various EU member states will be publishing technical guidelines
Does it make the assessment on who is the reporting person, including taking into account the legal professional privilege? Yes
Does it provide some standardize notification to our clients if we are bound by the legal professional privilege? Yes
Each jurisdiction will have different criteria for reporting. Does the tool include a database on the MDR rules in the different countries? Does it include an explanation to the rules in the various countries? Yes
Not all fee earners fall under professional rules of secrecy, i.e. not all fee earners have attorney client privilege. How does the tool deal with professional secrecy/attorney client privilege? You can select if it applies – if it does not apply you don’t select – the reporting outcome will be different
The MDR rules in most countries recognize attorney-client privilege. If we cannot report an arrangement due to rules on professional secrecy, then the obligation to report shifts to other advisors or the client itself. If the obligation to report shifts to the client, can we report on behalf of a client? In other words: Are we allowed to use DAC6pro to provide services for its clients? Or is it designed for internal use only (i.e. to comply with the MDR regulations from our perspective)? No, this is not possible and also not allowed as per MDR rules / XML schemes. You can sublicense the tool to your clients (subject to € 2,500 per multinational client per annum) but these need to have own environment for their own reporting.Your company could host the client environment and get access to the tool as reviewer and monitor what the client is doing.
Will DAC6pro be certified by the local authorities? No, authorities typically do not do this to avoid biased authorities and harmful competition. We have access to Dutch, Finnish and Swedish tax authorities and will show the tool to them for feedback; besides, we fully align with their XML’s so they probably will be comfortable with our approach
Workflow management
Does it allow both internal use (for internal transactions) and business use (for transactions advised to clients)? Yes
Does it assess transactions for reporting in all countries based on persons / entities involved? Yes
Does DAC6pro allow to exchange files with others (other colleagues/offices, clients or other external advisors/parties) and can these others edit, make amendments, comments and save each version of the document/report? Yes, based on user rights in the system
Does DAC6pro allow for making notes (which are not included in the reporting to the authorities)? Yes
Does DAC6pro include a chat function that allows for creating collaborative online workgroups? Yes
Does DAC6pro allow to create and distribute questionnaires that relevant parties can respond to and provide information that may need to be taken into account in the reporting? No / Yes. We will offer excel template in a few weeks that can used as such
DoesDAC6pro include a deadline tracker? Yes
Does DAC6pro allow for notification to others (e.g. client or other (external) advisors)? Within the tool yes; mailings outside the tool. It is on the radar but to considered from a GDPR perspective
Information Security (in case of SaaS)
Does the system log
– the activities of users,
– SW changes,
– data changes,
– service availability,
– access (logon / failed logon / logoff)
– account admin. (create, disable, enable, delete account/user),
– password changes,
– any unusual events?
See answer per line:
– Yes
– Not sure what is meant with SW changes
– Yes
– Yes (Azure Application Insights)
– Limited (Is handled by Azure Active Directory, which logs this)
– Yes
– Limited (is handled by Azure Active Directory, which logs this)
– N.a
How long does the system store logs (min/max)? No min, max 10 years (see backup policies)
Is there any procedure to protect logs from unauthorized access?
(logs may contain data like login/logout times, IP addresses, GPS position of the user, what resources used, what data accessed and when, data sharing and with whom, ….)
Logs are stored in a storage area protected by access management
Are the cloud based IT system and the related network equipped with security threat detection / protection tools?
If there are one or more security threat detection / protection tools:
Are they updated periodically according to the patches and releases published by the vendor?
Yes
Does the Cloud provider periodically perform and document penetration tests by qualified personnel or service providers? Periodic penetration tests are executed and documented on a regular basis by internal IT security experts
Is there a documented procedure to handle detected vulnerabilities? Yes
Is there a documented procedure (security incident response plan) to react on information security or data privacy incidents (security breaches, data leakage, data loss, unauthorized access, hacking, data high jacking, …) and to inform the effected customer(s)?
Is it tested periodically?
How does the cloud provider inform the effected customer(s)?
Yes;
Yes, once a year;
by e-mail to the defined addressee
Is there a documented procedure (Disaster Recovery Planning) to recover the system/service in case of a disaster/breakdown? Yes
Does the communication protocol between the servers/systems and clients use secure encryption procedures (e. g. AES) and/or does it use secure network protocols (e. g. SSL, TLS, IPsec)? SSL & TLS
Is the system’s role and rights concept based on the “least-privilege principle” and the required “need-to-know principle”? Yes
Is the system checking against segregation of duties? No
Does the system offer an option to use multi-factor authentication?
If yes: How?
Yes, Azure Active Directory is used.
If your domain supports it, your IT can enable MFA
What password policy is used for this system?
– min. password length,
– required use of uppercase and lowercase letters, digits, special characters,
– max. password lifetime (before it has to be changed)
– number of different passwords until reuse is allowed (avoid cyclic reuse of the same passwords),
– number of different characters to be changed at a new password
– max. unsuccessful attempts before the user is locked,
– min. time between password changes
Microsoft Azure Active Directory password policies are used. If company provides an Active Directory, overrides are possible by their IT department
After how many days a user is locked in case of inactivity? N.a
Is there an access control for management consoles and service programs (e.g. regardinf server virtualization)? Yes
Is there an access control for software development environments and transportation tools of the cloud service to prevent unauthorized software changes? Yes
Is the data securely seperated between customers at storage and runtime and after disposal? Yes
Client Properties/Requirements
Which operating systems are currently supported?
(OS, versions, service packs)
DAC6pro is browser based.
Which Web browsers are currently supported?
(web browsers, versions)
Chrome 67 and above, Firefox 51 and above, Safari 9 and above, Edge 14 and above, Internet Explorer 11 and above
Does the user need administration privileges to run any client software functions? No
Are there any known incompatibilities with anti-malware software (anti-virus, anti-trojan, anti-spyware, anti-phishing, anti-spam, …)?
(Yes / No)
If yes: Which anti-malware software (and versions) have known incompatibilities?
No
Are any 3rd party software components required for the functionality of your software on the client? (e.g. runtime environments, plug ins, services, office software, …, like Java, .net, Adobe Flash, Web Browser, Web browser plug ins, Microsoft Office, document viewer, …) Microsoft Office (Excel) is adviced, but not required. A web browser is necessary
Minimum / Recommended screen resolution? 1280 x 1024 or higher
Minimum / Recommended CPU? n.a
Minimum / Typical required client hard disk storage space? n.a
Transportation of software or configuration changes (Change Management)
Is there a transportation tool to support the transport of tested SW or configuration changes from the test environment to the productive environment? DAC6pro is SaaS solution, which means we automatically update the software with the help of Devops pipelines and analysis tools.
Is an automated source code analysis tool used to detect security defects prior to the delivery of a new software patch or release?
If an automated source code analysis tool is not used: Is a manual source code analysis done to detect security defects prior to the delivery of a new software patch or release?
Yes. DAC6pro is built according to industry standards. Pull requests are performed based on a four eye principle for every commit. Tools such as WhiteSource and SonarCloud validate the integrity of the product during every build of the build pipeline
Are data input integrity check routines implemented? Yes
Support of Updates / Upgrades (Client, Server, DBMS)
How long are updates / patches / service packs of supported operating systems (e.g. Microsoft Windows security updates or service packs) supported?
How long is your maximum response time to update your software in case of incompatibilities?
In case of incompatibilities our software will be adapted without costs (except the maintenance fee) within 5 years after release of the update /patch / service pack
The fix will typically be available within one month after request
How long are updates / patches / service packs from required 3rd party software components (including DBMS) supported?
How long is your maximum response time to update your software in case of incompatibilities?
In case of incompatibilities our software will be adapted without costs (except the maintenance fee) within 5 years after release of the update /patch / service pack
The fix will typically be available within one month after request
Ability to Restart without Reboot (Client, Server)
Is it possible to restart the frontend / client software or required client services without reboot of the whole system (server / OS)? Yes
Is it possible to restart the backend / server software or required server services without reboot of the whole system (server / OS)? Yes
Do the client-server interface, a server-server interface of your software or standard interfaces or the interfaces based on the standard API (if available) of your software to any other software (or device) automatically reconnect after a disconnect (due to a loss of connection)?
Do they need a restart of your software or an required service to reconnect?
How long is the time out period in your software or required services that indicates a loss of connection?
After the expiration of the AD token a new login is triggered. This login will redirect the user to its original location
Ability to be Monitored(Server)
Are there standard interfaces or mechanisms to support the monitoring (and restart) of your software or required services (by a monitoring tool like NAGIOS)? Microsoft Application Insights
Data Center and Operations Properties/Requirements (only in case of SaaS is selected for the implementation)
Which company operates the data center? Microsoft Azure
Where is the data center located? West Europe
Which certificates are available for this data center (security, …)? ISO 27001, SAC 2
Is a second/standby data center offered?
If yes: cold or hot standby?
If yes: optional or included?
If yes: Which company opertes it?
If yes: Where is it located?
if yes: Which certificates are available?
Azure Standard
Which company operates the data backup/restore? Azure
Where are the data backups stored? Azure
Which certificates are available for this backup data storage? Azure Standard
What backup cycle is offered? Point in time restore (Transactional) 35 days.
LTR Weekly backups is stored for two months.
LTR monthly backup is stored for two years.
LTR yearly backup is stored first week of the year for 10 years.
Are backup/restore activities included in the SaaS fee? Yes
Is there a procedure in place to ensure that the backup was done without failures? According to our ISO27001 guidelines we test our restores on a regular basis
Is there a procedure in place to ensure that the backup was done in compliance with the backup rules? We actively monitor our backups
Is there an access control for access to backup data? Yes, only authorized personnel can access
Is the data backup stored at a different location than the original data?
If yes: How is the data backup transmitted to the other location?
Backups are also stored in the Azure West Europe region
What options are offered to transfer the data at the end of the SaaS contract? Data can be transfered by using the export functionalitites within DAC6pro
Data Privacy
Does this software store or process any personal data or sensitive personal data? Which personal data is processed?
(definitions of “(sensitive) personal data”: see EU GDPR)
Full person names and email addresses are stored. These are used for authentication and authorization
If personal data is process or store:
from which countries or regions are the users with their personal data collected or processed?
Worldwide
If personal data is stored:
Does this software support the management of data retention policy (e.g. by a reminder function)?
No
Is there the capability to restrict the storage of customer data to specific countries or geographic locations? If requested, this is possible. Currently we primarly use the Azure West Europe (Amsterdam) region for all of our services and data storage

We're here to help you in your DAC6 compliance, ask us your questions

Is your question not listed above or do you have additional questions? Ask them through the contact form below and one of our experts will reach out to you to schedule a call/meeting.

Team DAC6pro

Enough talk, Let's become DAC6 compliant!