Back to Trust Centre

Security

Last updated: 29 June 2026

Hosting & data residency

OneSixth runs on Supabase infrastructure (Postgres, Edge Functions, Authentication) hosted in the European Union. Your VAT and accounting data is stored within the EU. Some sub-processors may process limited data outside the UK/EU — see the sub-processors page.

Encryption

  • In transit: TLS 1.2+ on all connections to the application, API, and accounting platforms (Xero, QuickBooks Online, Sage, FreeAgent).
  • At rest: AES-256 encryption for the underlying database and storage volumes.
  • Secrets: OAuth refresh tokens and API keys are stored in encrypted columns or Supabase secrets and never exposed to the browser.

Multi-tenant isolation

Every row of customer data is tagged with a firm and organisation identifier. Postgres Row-Level Security (RLS) policies enforce that users can only read or write rows belonging to firms they are members of. Edge Functions verify the caller's JWT before performing any operation and use a service-role key only on the server side.

Authentication

  • Supabase Auth with email/password, Google SSO and Xero SSO.
  • Passkey (WebAuthn) support for additional account protection.
  • Session tokens are stored as httpOnly-friendly Supabase cookies; we do not place credentials in localStorage beyond what Supabase requires for the SDK.
  • Roles are stored in a dedicated user_roles table and checked server-side via a security-definer function — never trusted from the client.

Audit logging

All meaningful actions on VAT periods (calculations, journal posts, deferrals, year-end adjustments) are written to an immutable audit log keyed by firm, organisation, user, period and action. This supports a 6-year HMRC retention window.

Backups & recovery

The Postgres database is backed up by Supabase with point-in-time recovery available on supported plans. We retain operational backups for the period required to meet our recovery objectives and the 6-year retention obligation for HMRC records.

Change management

Code changes are version-controlled, code-reviewed, and deployed through automated pipelines. Database schema changes are applied as migrations and reviewed before release.

Application security controls

  • OAuth state nonces and noopener on cross-origin links.
  • Strict input sanitisation for spreadsheet exports (XLSX) to prevent formula injection.
  • Server-side enforcement of period locks once a VAT return has been filed.
  • Rate limiting on sensitive endpoints; least-privilege service-role usage.

Incident response

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected customers without undue delay. We maintain an internal incident response process covering detection, containment, eradication, recovery and post-incident review.

Responsible disclosure

If you believe you've found a security vulnerability, please email security@onesixth.app. We follow a coordinated disclosure approach: please give us a reasonable opportunity to investigate and remediate before public disclosure (we aim for 90 days). Please do not access data that is not yours, and avoid degradation of service. We thank researchers acting in good faith and will not pursue legal action against them.

Our disclosure contact is also published at /.well-known/security.txt.

Certifications

We do not currently hold a SOC 2 or ISO 27001 certification. Our underlying platform provider (Supabase) holds SOC 2 Type II and ISO 27001 certifications covering the infrastructure we build on.