Skip to main content
Finpliq
Start free
← Policy library

Security

Access Control Policy

How Finpliq controls access to user accounts, businesses, admin areas and sensitive filing functions.

Owner
Security & Compliance
Effective from
8 July 2026
Last reviewed
8 July 2026
Review cycle
Annual or following material change

At a glance

Finpliq uses authenticated sessions, role-aware application routing, admin controls and business scoping to limit access.

MFA should be enabled or enforced for admin and high-risk users where implemented in the application.

Full policy

Role-based access control should distinguish ordinary users, business owners/team users and administrators. Permissions must be scoped to the relevant user and business.

Passwords are handled through the authentication system. Password reset flows must not disclose account existence unnecessarily and must use time-limited tokens.

Sessions must be protected from unauthorised use. Auth, app and admin routes should be noindexed and protected by middleware or server-side checks.

Admin access must be granted only where required, audited, and removed when no longer needed. Admins must not be able to view MFA secrets or recovery codes.

High-risk actions such as HMRC submissions, exports, MFA disabling and admin changes should require fresh authentication or step-up MFA where implemented.