Skip to main content
Finpliq
Start free
← Policy library

Security

Encryption Policy

How Finpliq protects sensitive records, secrets, tokens and credentials.

Owner
Security & Engineering
Effective from
8 July 2026
Last reviewed
8 July 2026
Review cycle
Annual or following material change

At a glance

Sensitive secrets must not be stored or logged in plaintext.

Server-side encryption keys must remain outside client code and source control.

Full policy

Transport encryption should be used through HTTPS/TLS in production.

Application-level encryption is required for high-sensitivity secrets such as MFA secrets and HMRC tokens/credentials where stored by the application.

Encryption keys must be stored as environment secrets, rotated where required and restricted to the server environment.

Logs, emails and client responses must not contain raw secrets, access tokens, MFA recovery codes or passwords.