Finpliq Trust Centre
Security incident response
Finpliq maintains an incident response process for suspected or confirmed security events affecting customer records, HMRC filing workflows, credentials, platform availability or third-party services. This page summarises the operational process without exposing sensitive internal details.
Incident lifecycle
- 1. Detect
Actions, evidence and decisions are recorded in the internal Incident Register. - 2. Assess
Actions, evidence and decisions are recorded in the internal Incident Register. - 3. Classify
Actions, evidence and decisions are recorded in the internal Incident Register. - 4. Contain
Actions, evidence and decisions are recorded in the internal Incident Register. - 5. Investigate
Actions, evidence and decisions are recorded in the internal Incident Register. - 6. Preserve evidence
Actions, evidence and decisions are recorded in the internal Incident Register. - 7. Recover
Actions, evidence and decisions are recorded in the internal Incident Register. - 8. Notify
Actions, evidence and decisions are recorded in the internal Incident Register. - 9. Monitor
Actions, evidence and decisions are recorded in the internal Incident Register. - 10. Close
Actions, evidence and decisions are recorded in the internal Incident Register. - 11. Lessons learned
Actions, evidence and decisions are recorded in the internal Incident Register.
HMRC notification
HMRC notification is assessed where HMRC credentials, OAuth tokens, tax filing data, submission integrity or HMRC production credentials may be affected. Notifications follow HMRC's published security reporting process.
ICO assessment
Personal data breaches are assessed under UK GDPR. Where notification is required, the ICO deadline is normally within 72 hours of becoming aware.
Customer communication
Affected customers are notified where required by law or where action is needed, such as credential rotation, password reset or filing review.
Responsible disclosure
Security researchers should report vulnerabilities responsibly and avoid accessing customer data or disrupting service availability.
Read disclosure policy