Security & Breach Response

Reporting a security issue

If you believe you have found a security vulnerability or know of a personal data breach affecting April, please email hello@yourapril.co.uk with the subject line "Security" and a description of the issue.

We aim to acknowledge security reports within 24 hours.

How we protect your data

• All data in transit is encrypted using TLS/SSL.
• Our database server runs on a dedicated, firewalled instance located in Germany (Hetzner, Nuremberg).
• Access to the server is restricted to the founder via SSH key authentication.
• Database backups run nightly with a 14-day retention window.
• Third-party integrations (HMRC, Stripe, Anthropic, Meta) use only the minimum data necessary and authenticated tokens.
• HMRC tokens are tenant-scoped, refreshed on demand, and never exposed to client browsers.

Breach response process

1. Detection

We monitor for breach indicators including unauthorised access logs, anomalous database activity, third-party security advisories, and direct user reports.

2. Containment

On confirmed detection, the immediate priority is to contain the breach: revoke compromised credentials, disable affected access tokens, and isolate any compromised systems within one hour where technically feasible.

3. Assessment

Within 24 hours of detection we assess the scope: which users are affected, what data may have been exposed, the likely cause, and the severity in line with ICO guidance on personal data breaches.

4. Notification — within 72 hours

Where the breach involves personal data and is likely to result in a risk to people's rights and freedoms:

• We notify the Information Commissioner's Office (ICO) via the ICO breach reporting service.
• We notify HMRC by raising a ticket via the HMRC Developer Hub support channel.
• We notify affected users directly by WhatsApp and email where available.

5. Remediation

We document the root cause and implement fixes to prevent recurrence. The remediation report is shared with affected users and regulators on request.

6. Post-incident review

Within seven days of containment we publish a brief summary on this page including the date, scope, root cause, and remediation steps taken.

Breach contact

The designated contact for security and breach matters is the founder, Sean McNamara.

Email: hello@yourapril.co.uk

Past incidents

No reportable security incidents have occurred to date.

Reviewing this policy

This policy is reviewed at least annually and after any reportable incident.