Skip to main content
Finpliq
Start free

Security

Finpliq handles sensitive financial data and HMRC credentials. Here is how we protect them.

Data encryption

In transit: all data is encrypted using TLS 1.2 or higher. Connections to Finpliq are HTTPS-only.
HMRC credentials and tokens: Government Gateway passwords and HMRC OAuth access/refresh tokens are application-encrypted using AES-256-GCM with a unique IV per entry before storage. The encryption key is never stored in the database — it lives in server environment variables. Plaintext secrets are never logged.
Passwords: account passwords are hashed using bcrypt with a cost factor appropriate for current hardware. Plaintext passwords are never stored.
At rest: application secrets are encrypted by Finpliq before database storage. Wider database and object storage encryption at rest depends on the configured production hosting provider.

Access controls

Every database query is scoped to your business ID — it is architecturally impossible for your data to appear in another user account.
Authenticated sessions use HTTP-only, secure, same-site cookies that cannot be accessed by JavaScript.
CSRF protection is applied to all form submissions and state-changing API calls.

HMRC submissions

Finpliq connects directly to HMRC's own endpoints — your data goes to HMRC and nowhere else.
No submission is made to HMRC without your explicit confirmation in the app.
All HMRC submissions are logged with a correlation ID and HMRC's confirmation reference, stored in your filing audit trail.

Infrastructure

Finpliq relies on configured production hosting, database and storage providers for platform resilience, backup capability and infrastructure-level encryption at rest. Provider controls are reviewed as part of the internal Finpliq supplier and security controls audit programme. Finpliq does not claim ISO 27001, SOC 2, Cyber Essentials or other third-party certification unless such certification has been formally obtained and published.

Security governance

Finpliq maintains internal security control review documents and evidence registers. Those internal files are not published on the public website because they can reveal implementation details. Public users can review the Trust Centre policies and contact security@taandt.com for responsible disclosure or due-diligence questions.

Security contact

Security contact email: security@taandt.com.

Security controls review programme

Finpliq maintains an internal security controls audit programme covering access control, authorisation, tenant isolation, encryption, HMRC credential handling, incident response, vulnerability management, backup recovery, data retention, supplier oversight and audit logging. Controls are reviewed on a recurring schedule, findings are tracked to remediation, and evidence references are retained in the admin-only Security Compliance Centre.

This is an internal assurance programme and is not a claim of external certification or formal third-party audit.

Security incident response

Finpliq maintains a documented incident response process, internal Security Centre, Incident Register and notification decision records for HMRC, ICO and customer communications.

Read the incident response summary.

Reporting a vulnerability

If you discover a security vulnerability in Finpliq, please report it responsibly by emailing security@taandt.com with the subject "Security vulnerability." Please do not disclose it publicly until we have had the opportunity to investigate and address it.

We aim to respond to security reports within 48 hours.

Security — Finpliq