Skip to main content
Finpliq
Start free

Finpliq Trust Centre

Security incident response

Finpliq maintains an incident response process for suspected or confirmed security events affecting customer records, HMRC filing workflows, credentials, platform availability or third-party services. This page summarises the operational process without exposing sensitive internal details.

Incident lifecycle

  1. 1. Detect
    Actions, evidence and decisions are recorded in the internal Incident Register.
  2. 2. Assess
    Actions, evidence and decisions are recorded in the internal Incident Register.
  3. 3. Classify
    Actions, evidence and decisions are recorded in the internal Incident Register.
  4. 4. Contain
    Actions, evidence and decisions are recorded in the internal Incident Register.
  5. 5. Investigate
    Actions, evidence and decisions are recorded in the internal Incident Register.
  6. 6. Preserve evidence
    Actions, evidence and decisions are recorded in the internal Incident Register.
  7. 7. Recover
    Actions, evidence and decisions are recorded in the internal Incident Register.
  8. 8. Notify
    Actions, evidence and decisions are recorded in the internal Incident Register.
  9. 9. Monitor
    Actions, evidence and decisions are recorded in the internal Incident Register.
  10. 10. Close
    Actions, evidence and decisions are recorded in the internal Incident Register.
  11. 11. Lessons learned
    Actions, evidence and decisions are recorded in the internal Incident Register.

HMRC notification

HMRC notification is assessed where HMRC credentials, OAuth tokens, tax filing data, submission integrity or HMRC production credentials may be affected. Notifications follow HMRC's published security reporting process.

ICO assessment

Personal data breaches are assessed under UK GDPR. Where notification is required, the ICO deadline is normally within 72 hours of becoming aware.

Customer communication

Affected customers are notified where required by law or where action is needed, such as credential rotation, password reset or filing review.

Responsible disclosure

Security researchers should report vulnerabilities responsibly and avoid accessing customer data or disrupting service availability.

Read disclosure policy

Downloadable governance documents