Security

How does Cledo protect my financial data?

Name: Cledo
Price: 9 GBP
Rating: 4.9 (12 reviews)

You are trusting Cledo with financial records, tax filings, and HMRC connections. Here is exactly how we handle that responsibility — in plain English, not legal prose.

What data Cledo collects

Company details from Companies House, bank transactions via Open Banking (read-only), VAT and Corporation Tax filing data, and optionally your National Insurance number and UTR for self-assessment.

Why Cledo needs it

To categorise transactions, calculate tax obligations, prepare filings, and submit them to HMRC and Companies House on your behalf. We collect only what is needed for these workflows.

Encryption and access control

All data is encrypted at rest with AES-256. Sensitive fields — HMRC tokens, NINOs, UTRs — are additionally encrypted at the application level with AES-256-GCM. Passwords are hashed with bcrypt (12 rounds).

Data in transit

All connections use TLS 1.3. HTTPS is enforced site-wide. OAuth 2.0 with PKCE is used for HMRC and Open Banking authentication.

Where data is hosted

Google Cloud Platform, europe-west2 (London). MongoDB Atlas in the EU region. No data leaves the UK. Infrastructure runs on Cloud Run with auto-scaling and automatic OS patching.

Production access

Restricted to essential personnel only. No SSH access to production containers. All access is logged and auditable.

Open Banking security

Bank connections use TrueLayer, an FCA-regulated provider. Cledo receives a read-only transaction feed. We never handle or store your bank credentials.

HMRC integration

OAuth 2.0 with PKCE for authentication. Access tokens are encrypted at rest and refreshed automatically. Fraud prevention headers are sent with every submission per HMRC specifications.

Cookies

Essential cookies only — session token and CSRF protection. No advertising cookies, no third-party analytics trackers. reCAPTCHA is used only on the registration page.

Data retention

Financial records are retained for six years as required by HMRC. You can request a full data export or deletion at any time by contacting privacy@cledo.tax.

Your rights

Under UK GDPR, you have the right to access, rectify, delete, or export your personal data. You can also object to processing or request restriction. Contact privacy@cledo.tax and we will respond within 30 days.

Responsible disclosure

If you discover a security vulnerability, please report it to security@cledo.co.uk. We acknowledge reports within 24 hours and resolve critical issues within 72 hours.

Data Processing Addendum Privacy Policy Cookie Policy