Security
Encryption Policy
How Finpliq protects sensitive records, secrets, tokens and credentials.
- Owner
- Security & Engineering
- Effective from
- 8 July 2026
- Last reviewed
- 8 July 2026
- Review cycle
- Annual or following material change
At a glance
Sensitive secrets must not be stored or logged in plaintext.
Server-side encryption keys must remain outside client code and source control.
Full policy
Transport encryption should be used through HTTPS/TLS in production.
Application-level encryption is required for high-sensitivity secrets such as MFA secrets and HMRC tokens/credentials where stored by the application.
Encryption keys must be stored as environment secrets, rotated where required and restricted to the server environment.
Logs, emails and client responses must not contain raw secrets, access tokens, MFA recovery codes or passwords.