Security Statement

1. Overview

ForwardifyMtd is designed to support secure online invoicing, company data separation, user access control and HMRC MTD VAT integration. No online service can be guaranteed to be completely secure, but we aim to use appropriate technical and organisational safeguards.

2. Account and access controls

3. Data protection measures

Our data protection measures may include:

• encrypted HTTPS connections;
• restricted database access;
• server access controls;
• backup procedures;
• audit logs for key actions;
• separation of customer/company data;
• secure configuration management;
• appropriate staff or contractor confidentiality obligations.

4. HMRC MTD VAT security

Where the application connects to HMRC MTD VAT services, we use HMRC’s authorisation flow and transmit fraud prevention header data where required.

Customers are responsible for ensuring that:

• only authorised users can connect to HMRC;
• HMRC authorisation is not misused;
• VAT return figures are checked before submission;
• users do not interfere with fraud prevention header data;
• suspected unauthorised access is reported promptly.

5. Infrastructure and hosting

The application may be hosted using [Hosting Provider / Infrastructure Provider]. Infrastructure controls may include firewalls, restricted access, monitoring, patching, backups and disaster recovery procedures.

Hosting and infrastructure providers may change from time to time. Where relevant, these providers will be listed in our Subprocessor List.

6. Monitoring and logging

We may maintain logs to help secure the service, investigate errors, prevent fraud, detect unauthorised access and support audit trails.

Logs may include login events, IP addresses, user agent information, system events, invoice actions, HMRC API activity and email sending records.

7. Backups and recovery

We may create backups for operational resilience, disaster recovery and accidental data loss protection.

Backups are not a substitute for your own exports or statutory record keeping. You should export and retain business records where appropriate.

8. Customer security responsibilities

You are responsible for:

• using strong and unique passwords;
• keeping login details confidential;
• ensuring user access is removed when no longer needed;
• checking user roles and permissions;
• using secure devices and networks;
• checking invoice and VAT data before submission;
• exporting records where needed;
• reporting suspected security incidents promptly.

9. Incident response

If we identify a security incident affecting customer data, we will investigate and take reasonable steps to contain, assess and address the issue.

Where required, we will notify affected customers or relevant authorities in accordance with applicable law.

10. Reporting security issues