Encryption Policy
How Finpliq protects sensitive records, secrets, tokens and credentials.
At a glance
- Sensitive secrets must not be stored or logged in plaintext.
- Server-side encryption keys must remain outside client code and source control.
Full policy
- Transport encryption should be used through HTTPS/TLS in production.
- Application-level encryption is required for high-sensitivity secrets such as MFA secrets and HMRC tokens/credentials where stored by the application.
- Encryption keys must be stored as environment secrets, rotated where required and restricted to the server environment.
- Logs, emails and client responses must not contain raw secrets, access tokens, MFA recovery codes or passwords.