Are web-based identity/access-control and data-messaging services subject to New York sales tax?

Plain-English summary

A company sells four web-based services to business and government customers and asked which are taxable and how to source them. The Office of Counsel split them into two groups:

"Communicate" rubric — taxable protective services
- Portal (a hosted, co-branded site that lets only authorized users reach a customer's online resources) and Trusted Identity Framework (the same ID/password verification, but the user logs in on the customer's own page) both act as electronic gatekeepers. Their crux is the security function of verifying that people seeking access are authorized and keeping unauthorized persons out of the customer's confidential data.
- That makes them taxable protective services under Tax Law section 1105(c)(8) (cf. TSB-A-10(14)S).
- Sourcing: Protective services are provided where the protected property is located. Tax applies to the extent the protected data resides in New York (e.g., on New York servers). If data sits both in and outside New York, the vendor collects tax only on the New York portion.
- The vendor may rely on a signed customer letter identifying the jurisdiction(s) where the protected data is located (absent fraud or knowledge it is untrue). The letter must state it is furnished to determine the proper New York tax, be kept at least three years, be updated on changes, and be reviewed at least every three years. The tax is on the customer (Tax Law section 1132(a)(1)); following this procedure satisfies the vendor's burden, but on audit any shortfall remains the customer's liability.

"Connect" rubric — nontaxable bridging services
- Messaging and Supplier Connection provide a central hub that routes business messages/data between trading partners, who supply their own connections. These are nontaxable bridging services (TSB-A-15(28)S).
- The associated set-up, maintenance, mailbox set-up/maintenance fees are not taxable, and the mapping fees are nontaxable data-processing charges.

What this means for you

"Keeping the wrong people out" is a taxable protective service

A service whose essence is controlling access and protecting confidential data — even a slick cloud identity/login product — can be a taxable protective service in New York, not a nontaxable software or data service.

Source protective services to where the data lives

Protective services are taxed based on where the protected property/data is located, not where the user or vendor sits. With data in multiple states, you tax the New York share — and a signed customer letter is the accepted way to allocate, with recordkeeping and periodic review.

Pure message routing between partners is nontaxable bridging

A hub that just routes messages/data between trading partners is a nontaxable bridging service, and the surrounding set-up, mailbox, maintenance and mapping/data-processing charges ride along as nontaxable.

Common questions

Q: Why is an identity/login product taxable when many cloud services aren't?
A: Because its core function is protecting access to confidential data — a protective service under Tax Law section 1105(c)(8) — rather than, say, mere data storage.

Q: How do I figure out how much New York tax to charge?
A: Source to where the protected data resides. You may rely on a signed customer letter allocating the data's location, kept and periodically reviewed.

Q: Are the messaging-hub set-up and mapping fees taxable?
A: No — the messaging/supplier-connection services are nontaxable bridging services, and the set-up, mailbox, maintenance and mapping (data-processing) fees are not taxable.

Q: Can I rely on this opinion?
A: It binds the Department only as to the petitioner. Use it as guidance and confirm your own facts.

Citations and references

• Tax Law section 1105(c)(8) (protective and detective services)
• Tax Law section 1132(a)(1) (sales tax is on the customer, collected by the vendor)
• 20 NYCRR 525.2 (sale; transfer of possession)

Source

• Landing page: https://www.tax.ny.gov/pubs_and_bulls/advisory_opinions/sales_ao_2016.htm
• Opinion: https://www.tax.ny.gov/pdf/advisory_opinions/sales/a16_20s.pdf

Original ruling text

New York State Department of Taxation and Finance

TSB-A-16(20)S
Sales Tax
May 27, 2016

Office of Counsel
STATE OF NEW YORK
COMMISSIONER OF TAXATION AND FINANCE
ADVISORY OPINION

PETITION NO. S101129A

The Department of Taxation and Finance received a Petition for Advisory Opinion from
REDACTEDREDACTED (Petitioner), REDACTEDREDACTEDREDACTEDREDACTED.
Petitioner asks whether four services (“Portal,” “Trusted Identity Framework,” “Messaging,” and
“Supplier Connection”) it sells are subject to sales tax and, if any of these services are subject to
sales tax, and how the sales should be sourced.
We conclude that (i) the Portal and Trusted Identity Framework services are subject to
sales tax under Tax Law § 1105(c)(8) as protective services and should be sourced based on the
location where the protected data resides and (ii) the Messaging and Supplier Connection
services are not subject to sales tax.
Facts
“Communicate” Rubric Services
Petitioner sells two services under the rubric “Communicate”: “Portal” and “Trusted
Identity Framework.” The crux of each product is that Petitioner, in essence, acts as a
gatekeeper allowing users access to a client’s computer network or other on-line resources.
Examples of such resources are computerized medical records and software applications. Both
products are accessed via the Internet.
“Portal” is an on-line portal hosted by Petitioner, co-branded with the customer, in which
Petitioner delivers a secure platform and workspace that can be personalized by communities of
users across multiple organizations. One element of the product is Petitioner’s development and
hosting of a web site, which may have the outward appearance of being a web site hosted by the
customer. Individuals seeking access to a customer’s on-line resources can gain access only
through the portal. The customer designates the individuals granted access and determines what
resources a user may access. Authorized users are assigned IDs and passwords. The portal
includes a security integration function that verifies that individuals seeking access are
authorized to have access. If an individual seeking access is authorized to have access, the
individual will be linked to the resources on the customer’s web site for which it is authorized.
Once the user is linked to a customer resource, the customer is responsible for managing user
access.
Petitioner charges an implementation fee for designing and building the portal site.
Petitioner maintains the site at no additional fee for a specified contract period. Free
maintenance includes help desk services for users.
After the initial contract period expires, the customer must pay a subscription fee for
Petitioner’s continued maintenance and hosting of the portal. This fee covers the following

-2-

TSB-A-16(20)S
Sales Tax
May 27, 2016

costs: maintenance of the customer portal code base; maintenance, testing and validation of
customer code to support upgrades to the core infrastructure products; testing of all
enhancements to ensure continued functionality; and continued help desk service. This fee will
vary depending on the number of authorized users.
An optional feature offered under “Portal” is “Federated Login Capabilities,” which
allows users to access customer resources using an ID and password issued by Petitioner without
needing a separate login ID issued by the customer. Petitioner bills a one-time charge for this
feature to cover the costs of setting up coding and security integration.
The other product sold under the “Communicate” rubric is “Trusted Identity
Framework.” This product is designed to allow businesses or government entities to share
information and applications with employees or third parties, such as suppliers, partners,
customers, or the general public. “Trusted Identity Framework” is similar to “Federated Login
Capabilities,” except that it is offered without a portal maintained by Petitioner. Instead of the
user logging into a portal maintained by Petitioner to gain access to a customer’s resources, the
user directly logs on to the customer’s portal page and then is linked to the Petitioner’s network
so that Petitioner can verify the user’s ID and password. If the ID and password are confirmed,
the user is routed back to the customer’s resources. The service allows the customer to control
the content of its own portal pages, while Petitioner maintains ID management, access,
passwords resets, etc. for the users.
Petitioner charges a monthly fee for this service, which is based on the number of the
customer’s users.
Connect Rubric Services
Petitioner sells two products under the rubric “Connect”: “Messaging” and “Supplier
Connection.” In the case of both of these services, Petitioner provides a central data messaging
hub that routes business messages or data in various formats between trading partners. Each
customer must provide its own Internet connection to Petitioner’s portal on the Web.
In the Messaging service, messages are transmitted between trading partners’ networks
via the Internet through Petitioner’s server, which is located outside New York State. Messages
can be tracked via communication code, which provides the IP address of the computer that
transmits the message.
Each trading partner is charged a one-time user set up fee for professional services
performed by Petitioner, which include obtaining the data necessary to set up relationships
between the trading partners. Each customer is charged a monthly maintenance fee, which is
based on the number of trading partners with whom the customer is linked.
If a trading partner’s application environment is different from other trading partners’
application environments, the message must be translated into a customer specific document
format that can be read by the other trading partners’ systems. Petitioner bills a one-time fee for
this service, hereafter referred to as a mapping service. This fee is billed on a per-map basis.
Petitioner bills an additional mapping fee on an ongoing basis to cover the cost of keeping the

-3-

TSB-A-16(20)S
Sales Tax
May 27, 2016

coding current with each trading partner’s system and translation requirements. This
maintenance fee is based on the number of messages that have to be translated. In addition,
each trading partner is charged a monthly fee based on the number of kilocharacters the partner
sent or received during a billing period.
A non-optional fee billed by Petitioner for messaging service is a mailbox fee for the
costs of setting up the integration channel, which is the mechanism to send and receive messages
between trading partners. Petitioner also bills on a monthly basis a mailbox maintenance fee to
each trading partner for the service of maintaining the connection between trading partners.
“Supplier Connection” is essentially the same service as “Messaging”; however, instead
of using internal software to compose and transmit messages, trading partners utilize web
browsers to exchange data with each other. For this service, Petitioner charges a one-time
registration fee, a configuration fee, and a periodic per-user fee.
The Connect services are used to send messages between computers; hence, messages are
sent to IP addresses. Petitioner claims that it does not know the geographic location of its
customers’ computers that send and receive messages.
Analysis
Communicate Rubric Services
Petitioner’s portal and trusted identity framework services under the “Communicate”
rubric perform a gatekeeper function for customers. These services ensure that only authorized
users gain access to the customer’s on-line resources. Thus, the crux of these services is the
security function of verifying that persons seeking access to on-line resources are authorized to
have that access. Persons seeking access to the customer’s resources may be located both inside
and outside of New York State.
These electronic gatekeeper services qualify as protective services for purposes of Tax
Law § 1105(c)(8) because they prevent unauthorized persons from gaining access to its
customers’ confidential data. Cf. TSB-A-10(14)S. Protective services are provided in New York
(i.e., “sourced” to New York) if the property being protected is located in New York. See N-9020; TSB-A-10(14)S, supra. Thus, to the extent that the data being protected is located in New
York (e.g., resides on servers in New York), then Petitioner is providing a protective service in
New York. If the protected data is located both inside New York and outside the State,
Petitioner should collect tax only with respect to the data located in New York. In making the
determination of where its protective services are being provided, Petitioner may rely on a letter
from the customer indicating the taxing jurisdiction or jurisdictions where the protected data is
located, absent a showing of fraud or knowledge on the part of Petitioner that the contents of the
letter are untrue. Such a letter must be signed by the customer (or the appropriate employee or
officer thereof) and contain a statement acknowledging that it is being furnished for the purpose
of allowing Petitioner to determine the appropriate amount of New York State and local sales
and use taxes due. Petitioner must keep the letters furnished by its customers as part of its sales
tax records, and be able to associate each letter with related sales, for at least three years after the
date of the last sale to which the letter relates. The customer is required to update the letter if

-4-

TSB-A-16(20)S
Sales Tax
May 27, 2016

there is a change in where the services are being provided. In order to continue to rely on the
letter, Petitioner should regularly review with its customer the information contained in the letter
to ensure that the information is still accurate, no less frequently than every three years.
The sales tax is a tax on the customer to be collected by the vendor. See Tax Law §
1132(a)(1). Following the above procedure will satisfy the vendor’s burden of showing it
collected the proper amount of sales tax. However, to the extent that, on audit, the Department
finds that the vendor, using the above procedure, did not collect the proper amount of tax, the
customer would be liable for any additional tax due.
Connect Rubric Services
The “Messaging” and “Supplier Connection” services under the Connect Rubric
provide a central data messaging hub that routes business messages or data between business
partner members of the service, who must provide their own telecommunication connections to
the hub. These services are nontaxable bridging services. See TSB-A-15(28)S. Thus,
Petitioner’s fees for setting up the relationship between trading partners and maintaining those
relationships, as well as its mailbox set-up and maintenance fees, are not taxable. In addition,
Petitioner’s charges for its mapping services are not taxable, as they constitute data processing
charges.

DATED: May 27, 2016

/S/
DEBORAH R. LIEBMAN
Deputy Counsel

NOTE:

An Advisory Opinion is issued at the request of a person or entity. It is limited to the
facts set forth therein and is binding on the Department only with respect to the
person or entity to whom it is issued and only if the person or entity fully and
accurately describes all relevant facts. An Advisory Opinion is based on the law,
regulations, and Department policies in effect as of the date the Opinion is issued or
for the specific time period at issue in the Opinion. The information provided in this
document does not cover every situation and is not intended to replace the law or
change its meaning.