Security
Finpliq handles sensitive financial data and HMRC credentials. Here is how we protect them.
Data encryption
Access controls
HMRC submissions
Infrastructure
Finpliq relies on configured production hosting, database and storage providers for platform resilience, backup capability and infrastructure-level encryption at rest. Provider controls are reviewed as part of the internal Finpliq supplier and security controls audit programme. Finpliq does not claim ISO 27001, SOC 2, Cyber Essentials or other third-party certification unless such certification has been formally obtained and published.
Security governance
Finpliq maintains internal security control review documents and evidence registers. Those internal files are not published on the public website because they can reveal implementation details. Public users can review the Trust Centre policies and contact security@taandt.com for responsible disclosure or due-diligence questions.
Security contact
Security contact email: security@taandt.com.
Security controls review programme
Finpliq maintains an internal security controls audit programme covering access control, authorisation, tenant isolation, encryption, HMRC credential handling, incident response, vulnerability management, backup recovery, data retention, supplier oversight and audit logging. Controls are reviewed on a recurring schedule, findings are tracked to remediation, and evidence references are retained in the admin-only Security Compliance Centre.
This is an internal assurance programme and is not a claim of external certification or formal third-party audit.
Security incident response
Finpliq maintains a documented incident response process, internal Security Centre, Incident Register and notification decision records for HMRC, ICO and customer communications.
Reporting a vulnerability
If you discover a security vulnerability in Finpliq, please report it responsibly by emailing security@taandt.com with the subject "Security vulnerability." Please do not disclose it publicly until we have had the opportunity to investigate and address it.
We aim to respond to security reports within 48 hours.