Security

How we protect
your business data.

Built For Small Business handles real financial data for real businesses. Here is exactly how we protect it, no marketing language, just the facts.

We are a small team building software for UK small businesses. We take the security of your data seriously because we understand that your invoices, client details and financial records are the lifeblood of your business. This page explains what we do to protect that data and where we currently stand on security measures.

Encryption

Sensitive personal data is encrypted at rest in our database. This includes:

  • Client names, email addresses, phone numbers and addresses
  • Company registration numbers and VAT numbers
  • National Insurance numbers (for MTD users)
  • HMRC OAuth tokens

Invoice amounts, dates and general business records are stored securely but are not individually encrypted — they are protected by access controls and strict company-level data isolation. All data in transit is protected by TLS/HTTPS encryption.

Data Isolation

Every piece of data on BFSB is scoped to your company account. Your invoices, clients, expenses and payroll records are never visible to or accessible by other businesses on the platform. All customer data is logically isolated and protected through strict account-level access controls.

Backups

Your data is backed up automatically to Cloudflare R2 secure cloud storage. Backups run on a scheduled basis and are stored separately from our primary server. In the event of a server failure, we maintain scheduled backups designed to reduce the risk of data loss.

Infrastructure

BFSB is hosted on a dedicated VPS provided by Namecheap, with Cloudflare providing DNS, DDoS protection and CDN services. Our infrastructure is monitored 24/7 using BetterStack, we receive immediate alerts if the platform goes down and respond as quickly as possible to restore service.

BFSB is hosted on a dedicated VPS provided by Namecheap, with Cloudflare providing DNS, DDoS protection and CDN services. Our infrastructure is monitored 24/7 using BetterStack, we receive immediate alerts if the platform goes down and respond as quickly as possible to restore service. You can check the current system status at bfsb-status.betteruptime.com .

Access Controls

Production access is strictly limited to authorised personnel and protected through authentication, logging and access controls.

Monitoring & Logging

Application errors and unusual activity are logged and reviewed regularly. Uptime monitoring via BetterStack provides real-time alerts for any service interruptions. We aim to acknowledge and resolve incidents as quickly as possible and will communicate any significant issues to affected users.

Multi-Factor Authentication

Two-factor authentication (2FA) is available on all BFSB accounts. We strongly recommend enabling it to protect your account, particularly if you store client financial data. We plan to make 2FA mandatory for Business plan accounts in a future update.

Data Deletion

You can request deletion of your account and data at any time by contacting us at [email protected]. Inactive accounts with no activity for 90 days are automatically removed following a series of email notifications. Financial transaction records are retained for 7 years in compliance with HMRC requirements. Full details are in our Terms & Conditions.

Payment Security

BFSB never stores card numbers or payment credentials. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Your clients' card details go directly to Stripe and never touch our servers.

GDPR Compliance

BFSB processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Nigeria Data Protection Act 2023 (NDPA). You retain full ownership of all data you create on the platform. We do not sell, share or use your data for advertising purposes. Full details of how we collect, store and process your data are set out in our Privacy Policy.

Incident Response

In the event of a data breach or security incident, we will notify affected users as quickly as possible and within the timeframes required by applicable data protection law, within 72 hours under UK GDPR where required. We will communicate clearly what happened, what data was affected and what steps we are taking. Incidents are logged, investigated and used to improve our security practices.

HMRC & MTD

BFSB is building Making Tax Digital for Income Tax support. HMRC OAuth tokens and National Insurance numbers are encrypted at rest. Submissions to HMRC are made over secure HTTPS connections using HMRC-required fraud prevention headers. MTD is currently in development and will be available to Business plan users upon HMRC approval.

Found a security issue?

If you discover a security vulnerability in BFSB, please report it responsibly by emailing [email protected] with details of the issue. We will acknowledge your report within 2 working days and work to resolve confirmed vulnerabilities as quickly as possible. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.

Last updated: May 2026

We use cookies to keep the platform running and to understand how it is used.

Essential cookies are always active. Analytics cookies help us improve BFSB you can decline these if you prefer. Cookie Policy