Security Practices
Regulas is built with security at every layer — from encrypted data storage to HMRC-compliant fraud prevention headers.
Security Measures
Encryption at Rest
All sensitive data including NINOs and HMRC OAuth tokens encrypted using AES-256-GCM with unique initialisation vectors.
Encryption in Transit
All data transmitted between your browser, our servers, and HMRC uses TLS 1.2 or higher. HTTPS enforced on all endpoints.
Password Security
Passwords hashed using bcrypt with per-user salts. We never store plaintext passwords. Minimum length and complexity enforced.
NINO Protection
Dual-layer: AES-256-GCM encryption for reversible storage plus HMAC-SHA256 hashing for secure lookups without exposing the raw NINO.
Infrastructure Security
Hosted on AWS with VPC network isolation, WAF protection, encrypted EBS volumes, and private subnets for databases.
Audit Logging
All significant operations recorded in an immutable audit log with user ID, action type, timestamp, and IP address. Retained for 2+ years.
HMRC Fraud Prevention
Full implementation of HMRC Transaction Monitoring fraud prevention specification v3.3 — approximately 16 mandatory headers per API call.
Error Isolation
Errors isolated at the request level. Never expose stack traces, database details, or internal paths. HMRC API errors wrapped and classified.
Authentication & Access Control
- JWT Authentication: Stateless JSON Web Tokens with short expiry, validated on every request.
- Role-Based Access Control (RBAC): Three roles — user, agent, and admin — each with distinct permission boundaries.
- HMRC OAuth 2.0: Authorisation code grant flow. Tokens refreshed automatically and encrypted at rest. Revocable at any time.
- Subscription Gating: Feature access controlled by subscription tier via middleware.
Compliance & Standards
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly:
Please do not publicly disclose any vulnerability until we have had a reasonable opportunity to address it.