Security Disclosure Policy

Last Updated: 8 May 2026

TradeAlly takes the security of customer data seriously. This page tells you how to report a security issue, what to expect from us when you do, and how we handle confirmed breaches.

1. Reporting a Security Issue

Email security@tradeally.co.uk with as much detail as you can share without further exploiting the issue:

What you found and how to reproduce it
The URL, account, or environment where you observed it (sandbox / production)
Whether you have already disclosed this elsewhere
How you'd like to be credited (or whether to keep your report anonymous)

Please do not publicly disclose the issue, attempt to access other customers' data, run sustained automated attacks, or perform social engineering against TradeAlly staff or our suppliers. We will work with you in good faith.

2. What You Can Expect from Us

Step	Our commitment
Acknowledge your report	Within 24 hours (working days)
Initial assessment	Within 3 working days
Status updates	Weekly until resolved
Resolution & disclosure	By mutual agreement, with credit if you'd like

3. Confirmed Breach — Notification Timeline

If a security issue results in a personal-data breach as defined under UK GDPR (Article 4(12)), we follow the regulator-mandated 72-hour notification requirement:

Information Commissioner's Office (ICO) — we notify within 72 hours of becoming aware (UK GDPR Article 33).
Affected customers — we notify directly when the breach is likely to result in high risk to your rights and freedoms (UK GDPR Article 34).
HMRC — if the breach affects MTD VAT data flowing through our software, we additionally raise a ticket with HMRC's developer support within 72 hours, as required by HMRC's Terms of Use for MTD vendors.

4. Scope

This policy covers vulnerabilities in:

tradeally.co.uk and all subdomains we operate
The TradeAlly iOS / Android applications
Our HMRC MTD VAT integration (sandbox and production)

Out of scope: third-party services we depend on (Heroku, Stripe, Telnyx, ElevenLabs, OneSignal, HMRC) — please report those to the vendor directly.

5. Safe Harbour

We will not pursue legal action against researchers who report issues in good faith and follow this policy. Acting in good faith specifically means: not deliberately violating UK law, not accessing data beyond what is needed to demonstrate the issue, and giving us a reasonable window to respond before public disclosure.

Security Contact

Email: security@tradeally.co.uk
Response time: 24 hours (working days)

For non-security privacy questions (data subject access requests, data export, deletion), email dpo@tradeally.co.uk or read our privacy policy.

Related Documents: