Security & Data Protection

Encryption

• In transit — all data protected with TLS 1.2+ (enforced by Vercel and Supabase). No unencrypted HTTP connections are accepted.
• At rest — Supabase PostgreSQL encryption plus application-layer AES-256-GCM encryption for UTR and NINO fields.
• HMRC tokens — OAuth access and refresh tokens are stored server-side only and are never exposed to the browser or included in client-side JavaScript bundles.

Access Control

• Row-level security (RLS) enforced at the database level on every table
• All API routes require authenticated sessions via Supabase Auth
• HMRC API calls use per-user OAuth tokens — users can only access their own data
• Content Security Policy (CSP), X-Frame-Options, and X-Content-Type-Options headers on all responses

Audit Trail

Every HMRC API interaction is logged with full request and response payloads. Audit logs are retained for 7 years in line with HMRC record-keeping requirements and are available to users from their Settings page.

Penetration Testing & Vulnerability Management

Independent penetration testing is scheduled for Q2 2026. Current automated security measures include:

• OWASP ZAP automated scans
• npm audit on every build
• Dependabot alerts for dependency vulnerabilities
• HMRC fraud prevention header validation via the HMRC Test Fraud Prevention Headers API

HMRC Breach Notification Process

In the event of a security breach affecting HMRC data, we follow this process:

1. Immediate containment and assessment of the breach
2. HMRC Developer Hub support notified within 24 hours
3. Affected customers notified per UK GDPR Article 33
4. Post-incident root cause analysis and remediation report

If you believe your account has been compromised, please contact us immediately at securitygs@oshylabs.eu and change your password.