Security Policy

How we protect your data and how to report security issues

Reporting Security Vulnerabilities

๐Ÿ”’ Security Contact

If you discover a security vulnerability or have concerns about the security of our systems, please contact us immediately:

Email: edward@bytelogic.ltd

PGP Key: Available on request

Response time: Within 24 hours

What to Include in Your Report

Please provide as much information as possible to help us understand and address the issue:

  • โœ“ Description of the vulnerability and its potential impact
  • โœ“ Steps to reproduce the issue
  • โœ“ Any proof-of-concept code or screenshots
  • โœ“ Your contact information for follow-up
  • โœ“ Whether you wish to be credited for the discovery

Our Commitment

โฑ๏ธ Acknowledgment

We will acknowledge receipt of your report within 24 hours.

๐Ÿ” Investigation

We will investigate and keep you informed of our progress.

๐Ÿ›ก๏ธ Resolution

We aim to resolve critical issues within 7 days, others within 30 days.

๐Ÿ™ Recognition

We will credit researchers who report valid vulnerabilities (if desired).

Responsible Disclosure

We ask that you:

  • Give us reasonable time to address the issue before public disclosure
  • Do not access or modify data belonging to other users
  • Do not perform actions that could harm the availability of our services
  • Act in good faith to avoid privacy violations and disruption to others

Security Measures

ByteLogic Accounting implements the following security measures to protect your data:

๐Ÿ” Encryption (UK GDPR Compliant)

All customer data is encrypted both at rest and in transit, following ICO guidelines and industry standards.

๐Ÿ“ฆ Data at Rest

  • AES-256 encryption for stored data
  • HMRC/bank tokens encrypted
  • Passwords hashed with bcrypt
  • Encrypted database backups
  • Full disk encryption on servers

๐Ÿ”„ Data in Transit

  • TLS 1.3 for all connections
  • HTTPS enforced on all pages
  • HSTS headers enabled
  • No SSL or TLS 1.0/1.1 (deprecated)
  • Encrypted API calls to HMRC/banks
Standards: FIPS 197 (AES), FIPS 140-3 compliant infrastructure, RFC 6238 (TOTP)

๐Ÿ”‘ Authentication (NCSC Compliant)

  • Two-factor authentication (TOTP)
  • Passwords hashed with bcrypt
  • Progressive login throttling
  • No forced password expiry
  • Password manager friendly

๐Ÿ“‹ Compliance

  • UK GDPR compliant
  • HMRC MTD approved vendor
  • Comprehensive audit logging
  • ICO encryption guidelines followed

๐Ÿ—๏ธ Infrastructure

  • Secure cloud hosting
  • Regular security updates
  • Automated vulnerability scanning
  • Network segmentation

๐Ÿ›ก๏ธ Access Control

  • Role-based permissions
  • Principle of least privilege
  • Staff access logged
  • Regular access reviews

๐Ÿข Customer Data Separation

Following NCSC Cloud Security Principle 3, we ensure complete isolation between customers:

โœ“ Logical Separation

Every record tied to your organization

โœ“ Query Isolation

All data access filtered by organization

โœ“ No Cross-Access

Cannot view other customers' data

โœ“ Audit Trail

All access logged per organization

Incident Response & Breach Notification

In the event of a security incident affecting your data, we have a defined process to respond quickly and notify all required parties:

โš ๏ธ Mandatory Breach Notifications (within 72 hours)

1. HMRC Software Developer Support

Any issues concerning the security of personal or customer data must be reported immediately to HMRC.

Email: SDSTeam@hmrc.gov.uk

Deadline: Within 72 hours of discovery

Include: Breach contact name and telephone number

2. Information Commissioner's Office (ICO)

Personal data breaches must be reported to the ICO under GDPR regulations.

Report online: ico.org.uk/make-a-complaint

Phone: 0303 123 1113

Deadline: Within 72 hours of becoming aware

3. Affected Users

If the breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected users directly.

Method: Email to registered address

Deadline: Without undue delay

Our Incident Response Process

  1. Detection & Containment (Hour 0-4): Identify the breach, contain the incident, and preserve evidence.
  2. Assessment (Hour 4-24): Assess the scope, affected data, and risk level.
  3. Notification (Hour 24-72): Notify HMRC (SDSTeam@hmrc.gov.uk), ICO, and affected users as required.
  4. Investigation (Day 3-14): Conduct thorough investigation and root cause analysis.
  5. Remediation & Review: Implement fixes and update security measures to prevent recurrence.

๐Ÿ“‹ Breach Response Contact

Primary Contact: Edward Cracknell (Director) - edward@bytelogic.ltd

Questions about our security practices?

Contact Us

ByteLogic Ltd ยท Company Number: 15073068

Last updated: January 2026