Security Policy

1. Overview

ClearYear takes the security of your data seriously. This policy describes the technical and organisational measures we use to protect your information.

2. Data Transmission

• All data is transmitted over HTTPS (TLS 1.2+) — never plain HTTP
• HTTP Strict Transport Security (HSTS) is enforced with a 1-year policy
• SSL certificates are automatically renewed

3. Data Protection

• NINO and UTR are hashed with SHA-256 before any storage — plaintext identifiers are never written to disk
• Income and expense figures exist only in your encrypted session during the wizard — they are not stored in our database
• HMRC OAuth access tokens are stored only in encrypted server-side sessions and expire after 4 hours
• Session cookies are HttpOnly, Secure, and SameSite=Lax

4. Application Security

• Rate limiting — all endpoints are rate-limited per IP to prevent brute force attacks
• SQL injection protection — all inputs are scanned and parameterised queries are used throughout
• XSS protection — Content Security Policy headers are enforced on all responses
• Clickjacking protection — X-Frame-Options: DENY is set on all pages
• Idempotent submissions — duplicate submissions are detected and rejected
• Audit trail — all submission events are logged with IP address and timestamp

5. Payment Security

All payments are processed by Stripe, a PCI DSS Level 1 certified provider. ClearYear never handles or stores card numbers, CVV codes, or bank details. Stripe's security policy applies to all payment data.

6. Infrastructure

• Hosted on Railway — a SOC 2 compliant cloud platform
• Database backups are performed automatically
• Environment variables and secrets are never committed to source code

7. Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to support@clearyear.co.uk. We will acknowledge your report within 48 hours and aim to resolve confirmed issues promptly.

8. Contact

ClearYear · Andrean Tahchiev (Sole Trader)
Email: support@clearyear.co.uk