Security at Fineproof
Your financial and property data is the most sensitive information you have. We treat it that way.
How we protect your data
Security is built into every layer of Fineproof — from infrastructure to application code to operational processes. Here is a transparent summary.
Encryption
- ✓256-bit TLS (HTTPS) for all data in transit
- ✓AES-256 encryption for data at rest
- ✓End-to-end encryption for HMRC API communications
- ✓Database-level encryption via Supabase (AWS RDS)
Access controls
- ✓Row Level Security (RLS) enforced at database level
- ✓Principle of least privilege for all internal access
- ✓Multi-factor authentication (MFA) available for all accounts
- ✓Session tokens with automatic expiry and rotation
Infrastructure
- ✓Hosted on AWS eu-west-2 (London) — UK data centres only
- ✓Supabase managed infrastructure with automated backups
- ✓Daily encrypted backups with 30-day retention
- ✓DDoS protection and rate limiting
Monitoring
- ✓Real-time application and infrastructure monitoring
- ✓Automated vulnerability scanning
- ✓Logging of all authentication and data access events
- ✓Anomaly detection for suspicious activity
Incident response
- ✓Documented incident response plan with defined escalation paths
- ✓Data breach notification to ICO within 72 hours (UK GDPR requirement)
- ✓Affected users notified without undue delay
- ✓Post-incident review and corrective action for every event
Business continuity
- ✓Disaster recovery plan with defined RPO and RTO
- ✓Multi-region backup strategy
- ✓Regular recovery testing
- ✓No single points of failure in critical paths
Sub-processor register
Under UK GDPR Article 28, we maintain a transparent register of all third parties that process data on our behalf.
| Processor | Purpose | Data processed | Location | Compliance |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | Account data, property data, financial records | EU (AWS eu-west-2) | SOC 2 Type II, GDPR |
| Stripe Inc. | Payment processing | Payment card details, billing address | UK / EU | PCI DSS Level 1, SOC 2 |
| HMRC | MTD tax return submission | Income and expense summaries, UTR | UK | UK Government |
| Veriff / Onfido | AML identity verification | Tenant name, ID document, facial image | EU / UK | ISO 27001, GDPR |
Certifications roadmap
We are transparent about where we are on our compliance journey.
HMRC Recognised Software
In progressTarget: Q2 2026
Cyber Essentials
PlannedTarget: Q3 2026
Cyber Essentials Plus
PlannedTarget: Q4 2026
ISO 27001
PlannedTarget: 2027
SOC 2 Type I
PlannedTarget: 2027
ICO Registration
PendingTarget: Q2 2026
Responsible disclosure
If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond promptly.
Email: security@fineproof.co.uk
Please include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence. Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.