Access Control Policy
How Finpliq controls access to user accounts, businesses, admin areas and sensitive filing functions.
At a glance
- Finpliq uses authenticated sessions, role-aware application routing, admin controls and business scoping to limit access.
- MFA should be enabled or enforced for admin and high-risk users where implemented in the application.
Full policy
- Role-based access control should distinguish ordinary users, business owners/team users and administrators. Permissions must be scoped to the relevant user and business.
- Passwords are handled through the authentication system. Password reset flows must not disclose account existence unnecessarily and must use time-limited tokens.
- Sessions must be protected from unauthorised use. Auth, app and admin routes should be noindexed and protected by middleware or server-side checks.
- Admin access must be granted only where required, audited, and removed when no longer needed. Admins must not be able to view MFA secrets or recovery codes.
- High-risk actions such as HMRC submissions, exports, MFA disabling and admin changes should require fresh authentication or step-up MFA where implemented.