Everything we have not finished, in one place.
Rather than scatter gaps across pages, we keep one register. Each item has a stable risk ID that our other pages reference. Near-term work carries a date; larger commitments are gated on an event, so this page never goes quietly stale.
Now — next six months
| ID | Item | Why it matters | When |
|---|---|---|---|
| R-ACCESS-01 | Extend server-side bank-detail masking to the remaining payment API surface | UK GDPR Art. 32 — the supplier registry and invoice-detail view now mask by default with a permission-gated, audited reveal at the API; one surface (the integration API's read-results endpoint) still needs the same server control. | Now — before onboarding the first production customer. |
| R-SECHEAD-01 | Security response headers (HSTS, CSP, X-Frame-Options) and authenticated metrics | Baseline hardening a posture scan checks first. | Now — next 6 months. |
| R-AUDIT-01 | Tamper-evident audit trail (append-only + hash chain) | ISO A.8.15/A.8.16 — make the audit trail defensible against modification. | Now — next 6 months (Transparency Ledger programme). |
Trigger-gated commitments
These are gated on an event, not a date — production launch, the first regulated customer, or our EU cloud migration — because committing to a calendar we cannot keep would be worse than committing to a trigger we can.
| ID | Item | Why it matters | When |
|---|---|---|---|
| R-AUTH-01 | Multi-factor authentication, then SSO (SAML/OIDC) | UK GDPR Art. 32 access control; the most common questionnaire gap. | Before production launch / on first enterprise requirement. |
| R-BCP-01 | Automated encrypted off-site backups with a tested restore | Business continuity; required before we publish any RPO/RTO. | Before the first production customer. |
| R-CRYPTO-01 | Internal TLS between application, database, and object storage | Removes the single-host plaintext-internal-traffic caveat. | At the AWS/EU cloud migration. |
| R-CRYPTO-02 | Column-level encryption for structured supplier bank details | UK GDPR Art. 32 — protect the crown-jewel fields beyond disk/object encryption. | Before the first production customer. |
| R-KMS-01 | Key management with rotation and versioning | Replaces the single static artifact-encryption key. | At the AWS/EU cloud migration. |
| R-TENANT-01 | Database-level row-level-security backstop for tenant isolation | Defence in depth behind the application/query-layer scoping. | At the AWS/EU cloud migration. |
| R-CERT-01 | ISO 27001 readiness → certification; SOC 2 Type II | Independent assurance for enterprise buyers. | ISO readiness now; SOC 2 on first US enterprise deal. |
How this page stays honest
- Every row has a trigger or a quarter, and a stable risk ID.
- When an item ships, we close it, remove the row, and update the matching control on the Security Status page in the same change.
- We review this register on a quarterly cadence; the review date is shown on every Trust Center page.
- Controls we already operate are not parked here to look busy — this page is only for genuine future work.