Skip to main content
← Back to home

Security Policy

Last updated: 16 April 2026

1. Responsible Disclosure

We take the security of RegNexus Books and the data entrusted to us seriously. If you believe you have discovered a security vulnerability, we encourage you to report it responsibly.

Please email your findings to security@reg-nexus.com. Include sufficient detail for us to reproduce and assess the issue, such as steps to reproduce, affected endpoints, and any supporting evidence (screenshots, logs, proof-of-concept code).

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it.

2. What to Report

We welcome reports on the following types of issues:

  • Unauthorised access to accounts or data
  • Data exposure or information leakage
  • Authentication or session management flaws
  • Injection vulnerabilities (SQL, XSS, CSRF)
  • Privilege escalation between tenants or roles
  • Insecure direct object references
  • Cryptographic weaknesses
  • API security issues

3. What to Expect

When you submit a report, you can expect:

  • Acknowledgement — within 48 hours of receipt
  • Investigation — initial assessment within 5 business days
  • Updates — we will keep you informed of our progress and notify you when the issue has been resolved
  • Credit — with your permission, we will acknowledge your contribution

We will not take legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.

4. Data Protection

RegNexus Books employs multiple layers of security to protect your financial data:

  • Encryption in transit — all connections secured with TLS 1.3. HSTS enforced across all endpoints.
  • Encryption at rest — sensitive data (HMRC OAuth tokens, API keys) encrypted using AES-256-GCM before storage.
  • Role-based access control — strict RBAC with tenant isolation. Users can only access data belonging to their organisation.
  • Audit logging — all significant actions (logins, data changes, submissions) are logged with timestamps and actor identity.
  • Dependency management — automated vulnerability scanning of third-party packages with prompt patching.

5. Incident Response

In the event of a confirmed security breach involving personal data, FYM Compliance Limited will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR Article 33
  • Notify HMRC where the breach involves tax data or MTD credentials
  • Inform affected users without undue delay, including the nature of the breach, likely consequences, and measures taken
  • Conduct a root-cause analysis and implement remedial measures to prevent recurrence

6. Contact

For security-related enquiries or to report a vulnerability:

FYM Compliance Limited
Email: security@reg-nexus.com

For general privacy enquiries, see our Privacy Policy.