Skip to main content
Finpliq
Start free
← Policy library

Security

Secure Software Development Policy

How Finpliq should be developed, reviewed, tested and released without weakening authentication, authorisation, tenant isolation or filing workflows.

Owner
Engineering
Effective from
8 July 2026
Last reviewed
8 July 2026
Review cycle
Annual or following material change

At a glance

Changes to Finpliq must preserve authentication, tenant isolation, audit logging and HMRC workflow integrity.

Security-sensitive changes require code review, validation and build checks before release.

Full policy

Developers must follow secure coding practices, including server-side validation, output encoding, safe redirects, parameterised database access through Prisma and avoiding secrets in code or logs.

Code reviews should check authorisation, tenant scoping, error handling, audit logging, data exposure, dependency impact and migration safety.

Secrets must be stored in environment variables or secure deployment secrets, never committed to source control and never exposed to client-side code.

Releases should include TypeScript checks, Prisma generate, Next.js build, migration review, rollback notes and regression checks for login, settings, dashboard, banking/import, filing and admin workflows.

OWASP guidance should be used for common risks such as broken access control, injection, XSS, insecure design, security misconfiguration and vulnerable dependencies.