Security
Finpliq handles sensitive financial data and HMRC credentials. Here is how we protect them.
Data encryption
✓
In transit: all data is encrypted using TLS 1.2 or higher. Connections to Finpliq are HTTPS-only.
✓
Government Gateway credentials: your HMRC Government Gateway password is encrypted using AES-256-GCM with a unique IV per entry before storage. The encryption key is never stored in the database — it lives in environment variables on the server. The plaintext password is never logged.
✓
Passwords: account passwords are hashed using bcrypt with a cost factor appropriate for current hardware. Plaintext passwords are never stored.
✓
At rest: databases are encrypted at rest by our infrastructure provider.
Access controls
✓
Every database query is scoped to your business ID — it is architecturally impossible for your data to appear in another user's account.
✓
Authenticated sessions use HTTP-only, secure, same-site cookies that cannot be accessed by JavaScript.
✓
CSRF protection is applied to all form submissions and state-changing API calls.
HMRC submissions
✓
Finpliq connects directly to HMRC's own endpoints — your data goes to HMRC and nowhere else.
✓
No submission is made to HMRC without your explicit confirmation in the app.
✓
All HMRC submissions are logged with a correlation ID and HMRC's confirmation reference, stored in your filing audit trail.
Infrastructure
Finpliq is hosted on infrastructure with SOC 2 compliance. Databases are backed up automatically with point-in-time recovery. Our infrastructure provider maintains physical security, network security, and availability SLAs.
Reporting a vulnerability
If you discover a security vulnerability in Finpliq, please report it responsibly by emailing finpliq@taandt.com with the subject "Security vulnerability." Please do not disclose it publicly until we have had the opportunity to investigate and address it.
We aim to respond to security reports within 48 hours.