Trust & compliance

Security & HMRC

Last updated: 7 June 2026

HMRC Making Tax Digital

Fynmerge is built for Making Tax Digital (MTD)— the UK government's programme to modernise the tax system. Our platform:

  • Tracks MTD for Income Tax quarterly obligations for sole traders and landlords.
  • Will support direct HMRC API submission when the MTD for Income Tax mandate applies to your business (April 2026 for earnings over £50,000; April 2027 for £30,000+).
  • Stores financial records in the format required by HMRC digital record-keeping rules.

We are in the process of completing our HMRC MTD software recognition. For the latest status, contact compliance@fynmerge.co.

Open Banking security

Fynmerge connects to your bank via Open Banking, regulated in the UK under the Payment Services Regulations 2017 (PSR). This means:

  • We are an FCA-registered Account Information Service Provider (AISP).
  • We have read-only access to your transaction data — we can never move money.
  • Your bank login credentials are never shared with or stored by Fynmerge.
  • You consent directly through your bank's own secure interface.
  • You can revoke access at any time from within your bank or Fynmerge settings.

Data security

  • Encryption in transit: All data is transmitted over TLS 1.3.
  • Encryption at rest: Database at rest encryption enabled on all storage layers.
  • AES-256 field encryption: Sensitive PII fields (UTR, VAT number, bank identifiers) are encrypted at the application layer in addition to database-level encryption.
  • Authentication: Passwords are hashed with bcrypt. Multi-factor authentication (MFA) is available on all accounts.
  • Access control:Row-level security enforced at the database level — users can only access their own organisation's data.
  • Infrastructure: Hosted on ISO 27001-certified infrastructure (Supabase / Railway). EU data residency for all production workloads.

Responsible disclosure

If you discover a security vulnerability in Fynmerge, please report it responsibly to security@fynmerge.co. We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.

Compliance

  • UK GDPR compliant — ICO registered Data Controller.
  • PSD2 compliant Open Banking integration via TrueLayer (FCA regulated).
  • SOC 2 Type II compliance — in progress (target: Q4 2026).

Contact

For security or compliance questions: security@fynmerge.co