Security
Access Control Policy
How Finpliq controls access to user accounts, businesses, admin areas and sensitive filing functions.
- Owner
- Security & Compliance
- Effective from
- 8 July 2026
- Last reviewed
- 8 July 2026
- Review cycle
- Annual or following material change
At a glance
Finpliq uses authenticated sessions, role-aware application routing, admin controls and business scoping to limit access.
MFA should be enabled or enforced for admin and high-risk users where implemented in the application.
Full policy
Role-based access control should distinguish ordinary users, business owners/team users and administrators. Permissions must be scoped to the relevant user and business.
Passwords are handled through the authentication system. Password reset flows must not disclose account existence unnecessarily and must use time-limited tokens.
Sessions must be protected from unauthorised use. Auth, app and admin routes should be noindexed and protected by middleware or server-side checks.
Admin access must be granted only where required, audited, and removed when no longer needed. Admins must not be able to view MFA secrets or recovery codes.
High-risk actions such as HMRC submissions, exports, MFA disabling and admin changes should require fresh authentication or step-up MFA where implemented.