Your financial data is sensitive. We take its protection seriously. The measures described on this page reflect the security controls built into our platform.
Your information is protected at every layer
Sensitive personal and financial fields are encrypted at the individual field level using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256). This means even if someone gained access to our database, protected information would be unreadable ciphertext.
Your password is never stored โ not even in encrypted form. Instead, we use bcrypt, a deliberately slow, adaptive hashing algorithm designed specifically for passwords. Even we cannot recover your password; we can only verify it.
All connections to Wealth365 are encrypted with TLS (HTTPS). Session cookies are flagged as Secure, meaning they are never transmitted over unencrypted connections.
Strict controls to protect your account from unauthorised access
Sessions use HttpOnly cookies (inaccessible to JavaScript), SameSite=Lax (prevents cross-site request attacks), and are transmitted only over HTTPS.
Sessions are configured with an 8-hour lifetime and a 30-minute idle timeout โ if you step away from your computer, your session expires automatically. Concurrent session limits prevent unauthorised reuse of credentials.
Key endpoints are rate-limited to prevent brute-force attacks, credential stuffing, and abuse. Different tiers apply to different areas of the application, with dedicated throttling on login and registration.
After repeated failed login attempts, accounts are temporarily locked to prevent brute-force password guessing. Users are notified and can recover through the password reset flow.
Defence in depth across the application layer
Standard forms and authenticated API requests require a valid CSRF token. This prevents malicious websites from performing actions on your behalf if you happen to visit them while logged in. Token-authenticated endpoints (e.g. webhooks) use their own verification.
Security-relevant and key account actions are recorded in an append-only audit log with a 7-year archival policy. This supports GDPR subject access requests and regulatory compliance.
Registration and sensitive forms employ honeypot fields, timing analysis, and disposable email detection to prevent automated abuse without degrading the user experience.
Every piece of data is validated before it enters the system
API endpoints only accept recognised field names. Unknown keys are rejected before processing, preventing injection of unexpected data into your financial plan.
Financial values are validated for correct types (numbers, dates, percentages) and sensible ranges. This prevents corrupt data from entering calculations and producing misleading projections.
User-generated text is escaped before rendering to prevent cross-site scripting (XSS) attacks. Template output is auto-escaped by default, and server-side sanitisation removes dangerous markup.
Your money and your data handled with care
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. Your card number, CVV, and billing details are submitted directly to Stripe โ they never touch our servers. We only receive a confirmation token.
We comply with the UK General Data Protection Regulation. Your data is processed lawfully, minimised to what is necessary, and you can request access, correction, or deletion at any time. See our Privacy Policy for full details on data handling.
Our tax engine is continuously verified against HMRC rules
Every calculation in our tax engine โ income tax, National Insurance, capital gains, dividends, pension allowances, and more โ is verified by an automated test suite that runs against known UK tax rules and HMRC thresholds.
Our test suite covers the areas that matter most for your financial plan:
If you discover a security vulnerability, we encourage responsible disclosure. Please report it to security@wealth365.co.uk. We appreciate researchers who give us the opportunity to address issues before public disclosure.
Our security.txt file follows RFC 9116 standards for security contact information.
Your financial future, protected by real security measures. Not just promises.
Start Your Free Trial