Information Security Policy
How Finpliq protects business, bookkeeping, payroll and tax records using secure access, encryption, logging and operational controls.
At a glance
- Finpliq protects accounting records, HMRC workflow data, evidence packs and user accounts using authenticated access, role-based permissions, encryption where implemented, audit logs and documented incident handling.
- Finpliq does not claim external security certification in this document. Security controls are described as internal operating controls unless independently verified.
Full policy
- Security objectives are to preserve confidentiality, integrity and availability of customer records; prevent cross-tenant access; support traceable filings and approvals; and reduce the risk of unauthorised access to sensitive financial data.
- Responsibilities sit with TA&T Ltd as operator, administrators with elevated access, developers making changes, and users who must protect their credentials, enable MFA where required and review filing outputs before submission.
- Assets include user accounts, business records, invoices, bills, bank statement imports, receipt uploads, payroll records, CIS records, VAT records, HMRC tokens or credentials where configured, audit logs, code, databases, deployment environments and support communications.
- Access is granted on a least-privilege basis. Admin access should be limited, reviewed and removed when no longer required. Business-level roles must be used to prevent one customer from viewing another customer's data.
- Patch and vulnerability management should include dependency review, security updates, code review, testing and documented release checks before production deployment.
- Incident response follows documented triage, containment, investigation, customer notification and regulatory notification processes where required by law or HMRC obligations.