# Security Architecture

**Last reviewed:** 8 July 2026

Finpliq security architecture centres on authenticated sessions, business-level tenant scoping, role-aware controls, encrypted high-sensitivity secrets where implemented, audit logging and noindex protection for private routes.

## Operating principles

- Preserve tenant isolation and user authentication.
- Keep claims truthful and aligned with implemented features.
- Protect secrets and high-sensitivity financial records.
- Review changes before production deployment.

## Verification checklist

- Authentication and admin routes remain protected.
- Private app routes are not indexed.
- No secrets are exposed in logs, client code or documentation.
- HMRC and filing functionality is described by actual release status.
