Calceum

Security

Calceum is built to protect the data you trust us with. This page sets out the measures, standards, and practices that underpin how we handle your information — including HMRC OAuth tokens, National Insurance Numbers (NINOs), and financial records.

If you’ve found a security issue, please see Responsible Disclosure below.

Security Measures

Encryption at Rest

All sensitive data — including NINOs and HMRC OAuth tokens — is encrypted using AES-256-GCM with unique initialisation vectors. Database storage volumes are encrypted at rest.

Encryption in Transit

All communication with Calceum is enforced over HTTPS using TLS 1.2 or higher. HSTS is enabled to prevent protocol downgrade.

Password Security

User passwords are hashed using bcrypt with per-user salts. Complexity rules are enforced at sign-up and on change.

NINO Protection

National Insurance Numbers are protected by a dual-layer approach: reversible encryption for stored values, and HMAC-SHA256 fingerprints for indexed lookups. This means we can locate a record by NINO without ever decrypting it.

Infrastructure Security

Calceum is hosted on Amazon Web Services in the eu-west-2 (London) region. We use VPC isolation, AWS WAF in front of internet-facing endpoints, encrypted EBS volumes, and private subnets for databases — accessible only from application servers within the VPC.

Audit Logging

Calceum maintains immutable audit logs covering authentication events, HMRC submissions, and material changes to your data. Each log entry captures user ID, action type, timestamp, and source IP. Logs are retained for a minimum of two years.

HMRC Fraud Prevention

Calceum implements the HMRC Transaction Monitoring fraud prevention specification (v3.3), submitting the full set of required headers with every API call. This is a statutory requirement for MTD software and helps HMRC detect fraudulent activity on accounts.

Error Isolation

Stack traces and credentials are masked in logs and never returned to the client. Errors from the HMRC API are wrapped so internal implementation details and tokens are never exposed.

Authentication & Access Control

  • JWT tokens with short expiry for application sessions
  • Role-Based Access Control (RBAC) — taxpayer, agent, and admin roles, each with explicit permission scopes
  • HMRC OAuth 2.0 authorisation code flow for connecting to HMRC, with refresh tokens rotated on use
  • Subscription-tier gating enforced server-side via middleware

Compliance & Standards

  • UK GDPR
  • HMRC Making Tax Digital recognition
  • OAuth 2.0 (RFC 6749)
  • AES-256-GCM (NIST-approved)
  • TLS 1.2+
  • bcrypt (OWASP-recommended for password storage)
  • AWS Well-Architected security pillar

Responsible Disclosure

We welcome reports from security researchers and customers who identify vulnerabilities in Calceum.

If you believe you have found a security issue, please email security@calceum.com. Include a description of the issue, steps to reproduce, and the impact you believe it has.

  • We will acknowledge receipt within 48 hours
  • We will provide an initial assessment within 5 business days
  • We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate

Thank you for helping us keep Calceum secure.