$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Now — next six months

IDItemWhy it mattersWhen
R-ACCESS-01Extend server-side bank-detail masking to the remaining payment API surfaceUK GDPR Art. 32 — the supplier registry and invoice-detail view now mask by default with a permission-gated, audited reveal at the API; one surface (the integration API's read-results endpoint) still needs the same server control.Now — before onboarding the first production customer.
R-SECHEAD-01Security response headers (HSTS, CSP, X-Frame-Options) and authenticated metricsBaseline hardening a posture scan checks first.Now — next 6 months.
R-AUDIT-01Tamper-evident audit trail (append-only + hash chain)ISO A.8.15/A.8.16 — make the audit trail defensible against modification.Now — next 6 months (Transparency Ledger programme).

Trigger-gated commitments

These are gated on an event, not a date — production launch, the first regulated customer, or our EU cloud migration — because committing to a calendar we cannot keep would be worse than committing to a trigger we can.

IDItemWhy it mattersWhen
R-AUTH-01Multi-factor authentication, then SSO (SAML/OIDC)UK GDPR Art. 32 access control; the most common questionnaire gap.Before production launch / on first enterprise requirement.
R-BCP-01Automated encrypted off-site backups with a tested restoreBusiness continuity; required before we publish any RPO/RTO.Before the first production customer.
R-CRYPTO-01Internal TLS between application, database, and object storageRemoves the single-host plaintext-internal-traffic caveat.At the AWS/EU cloud migration.
R-CRYPTO-02Column-level encryption for structured supplier bank detailsUK GDPR Art. 32 — protect the crown-jewel fields beyond disk/object encryption.Before the first production customer.
R-KMS-01Key management with rotation and versioningReplaces the single static artifact-encryption key.At the AWS/EU cloud migration.
R-TENANT-01Database-level row-level-security backstop for tenant isolationDefence in depth behind the application/query-layer scoping.At the AWS/EU cloud migration.
R-CERT-01ISO 27001 readiness → certification; SOC 2 Type IIIndependent assurance for enterprise buyers.ISO readiness now; SOC 2 on first US enterprise deal.

How this page stays honest

  • Every row has a trigger or a quarter, and a stable risk ID.
  • When an item ships, we close it, remove the row, and update the matching control on the Security Status page in the same change.
  • We review this register on a quarterly cadence; the review date is shown on every Trust Center page.
  • Controls we already operate are not parked here to look busy — this page is only for genuine future work.

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]