Security
Last updated: 25 February 2026
Report a vulnerability
If you have discovered a security vulnerability in Cuppa, please disclose it responsibly by emailing:
Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Any affected URLs, endpoints, or components
We aim to acknowledge all reports within 2 business days and will keep you updated as we investigate and resolve the issue.
Responsible disclosure
We ask that you:
- Give us reasonable time to investigate and fix the issue before any public disclosure
- Avoid accessing, modifying, or deleting user data beyond what is necessary to demonstrate the vulnerability
- Do not perform denial-of-service attacks or automated scanning that could affect service availability
We will not take legal action against researchers who act in good faith and follow these guidelines.
Breach notification
In the event of a personal data breach, we follow a formal incident response process. Where required, we will notify the ICO within 72 hours and, where HMRC data is involved, notify HMRC within 72 hours. Affected users will be notified directly if the breach poses a high risk to their rights and freedoms.
For full details, see the Security incidents section of our Privacy Policy.
Security practices
Cuppa protects your data with:
- Encryption in transit (TLS) and at rest
- Field-level encryption for sensitive data (HMRC tokens, bank details)
- OAuth 2.0 for HMRC authentication — we never store your Government Gateway password
- Rate limiting on authentication and API endpoints
- Audit logging of security-relevant actions
Our Data Protection Impact Assessment (DPIA) and Information Security Policy are available on request. Contact privacy@cuppa.tax.