Skip to main content

Security

Last updated: 10 March 2026

Reporting a vulnerability

If you have discovered a security vulnerability or suspect a data breach, please contact us immediately at security@letsort.co.uk.

Please include:

  • A description of the vulnerability or incident
  • Steps to reproduce the issue, if applicable
  • The potential impact as you understand it
  • Your contact details so we can follow up

We will acknowledge your report within 24 hours and aim to provide an initial assessment within 72 hours. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.

How we protect your data

  • Encryption in transit — all connections use TLS 1.2 or higher. HSTS is enforced on all domains.
  • Encryption at rest — sensitive data such as HMRC National Insurance numbers are encrypted using AES-256-GCM before storage.
  • Authentication — sessions are managed via secure, HTTP-only cookies. Passwords are hashed using bcrypt.
  • HMRC OAuth tokens — stored server-side and never exposed to the browser. Token refresh is handled automatically.
  • Database — hosted on Neon Postgres with encrypted connections. All queries use parameterised statements via Drizzle ORM to prevent SQL injection.
  • Security headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security are set on all responses.
  • Rate limiting — applied to authentication, HMRC API calls, and public endpoints to prevent abuse.

HMRC integration security

LetSort connects to HMRC via their official Making Tax Digital APIs using OAuth 2.0. We follow HMRC's development practices, including:

  • Server-side API calls only — no HMRC requests from the browser
  • Fraud prevention headers submitted with every HMRC request
  • Application-wide rate limiting to respect HMRC's 3 requests/second limit
  • No certificate pinning or IP pinning

Incident response

We maintain an incident response plan covering security breaches, data exposure, and service outages. In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hours as required by UK GDPR, and inform affected users without undue delay.

For HMRC-related security incidents, we will report to HMRC Developer Support immediately.

Infrastructure

  • Web application — hosted on Vercel, serving from edge locations within the EEA.
  • API — hosted on Cloudflare Workers, with data processing in the EU (London region).
  • Database — Neon Postgres, AWS eu-west-2 (London).

Contact

Security issues: security@letsort.co.uk

Privacy enquiries: privacy@letsort.co.uk