Security

1. Our Commitment

TaxFolio takes the security of your financial data seriously. We handle sensitive tax and banking information and are committed to protecting it through industry-standard security practices.

2. Data Protection

• All data is encrypted in transit using TLS 1.2+
• Data at rest is encrypted using AES-256
• Authentication is handled via Supabase Auth with support for two-factor authentication (2FA)
• HMRC API access uses OAuth 2.0 with short-lived tokens that are refreshed automatically
• Open Banking connections via TrueLayer use OAuth 2.0 with time-limited access tokens
• We never store your HMRC or bank passwords

3. HMRC Compliance

TaxFolio complies with HMRC's fraud prevention requirements for Making Tax Digital. We collect and transmit device information headers as required by HMRC on all API submissions. These headers help HMRC detect and prevent fraudulent tax submissions.

For details on what data is collected, see our Privacy Policy.

4. Infrastructure

• Hosted on Vercel with automatic DDoS protection
• Database hosted on Supabase (AWS eu-west-2, London) with Row Level Security (RLS)
• No direct database access from the client — all operations go through authenticated API routes
• Environment secrets are stored in Vercel's encrypted environment variable store

5. Vulnerability Disclosure

If you believe you have found a security vulnerability in TaxFolio, we encourage responsible disclosure. Please report it to us so we can address it promptly.

Email: security@taxfolio.uk

When reporting a vulnerability, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant screenshots or proof-of-concept code

We will acknowledge your report within 48 hours and aim to provide an initial assessment within 5 business days.

6. Contact

For security concerns: security@taxfolio.uk

For general support: support@taxfolio.uk

Our security.txt file is available at /.well-known/security.txt