Logging & Monitoring Policy
How Finpliq records important activity without exposing sensitive data.
At a glance
- Finpliq logs security, authentication, admin and filing events for accountability.
- Logs must not include passwords, MFA secrets, recovery codes, raw HMRC secrets or payment card data.
Full policy
- Audit logs should cover login-sensitive events, admin role changes, MFA events, filing actions, approvals, high-risk exports, business switching and security incidents where implemented.
- Monitoring should help identify failed logins, repeated MFA failures, unusual admin activity, filing errors, service failures and supplier outages.
- Log access must be restricted to authorised administrators and support/security personnel.