Security
Secure Software Development Policy
How Finpliq should be developed, reviewed, tested and released without weakening authentication, authorisation, tenant isolation or filing workflows.
- Owner
- Engineering
- Effective from
- 8 July 2026
- Last reviewed
- 8 July 2026
- Review cycle
- Annual or following material change
At a glance
Changes to Finpliq must preserve authentication, tenant isolation, audit logging and HMRC workflow integrity.
Security-sensitive changes require code review, validation and build checks before release.
Full policy
Developers must follow secure coding practices, including server-side validation, output encoding, safe redirects, parameterised database access through Prisma and avoiding secrets in code or logs.
Code reviews should check authorisation, tenant scoping, error handling, audit logging, data exposure, dependency impact and migration safety.
Secrets must be stored in environment variables or secure deployment secrets, never committed to source control and never exposed to client-side code.
Releases should include TypeScript checks, Prisma generate, Next.js build, migration review, rollback notes and regression checks for login, settings, dashboard, banking/import, filing and admin workflows.
OWASP guidance should be used for common risks such as broken access control, injection, XSS, insecure design, security misconfiguration and vulnerable dependencies.