Techport
Result Architecture Evaluation Whitepaper
§ Security
Security Policy and Responsible Disclosure

Security Policy.

Last updated: 19 April 2026

1. Security Commitment

TECHPORT TECHNOLOGIES LTD (“Techport”) operates the Legacy customs declarations platform in a regulated environment where the integrity, confidentiality, and availability of data are paramount. Customs declarations contain commercially sensitive trade data, personal information of importers and exporters, and regulatory submission records subject to statutory retention obligations.

We maintain a security posture commensurate with the sensitivity of the data we process and the regulatory expectations of HMRC, the Information Commissioner’s Office (ICO), and applicable UK and EU data protection frameworks. This document outlines our security architecture, incident response commitments, and responsible disclosure programme.

2. Security Architecture

2.1 Encryption

  • In Transit: All data transmitted between clients and the Platform, and between the Platform and HMRC CDS, is encrypted using TLS 1.2 at minimum, with TLS 1.3 preferred. Certificate pinning is enforced for HMRC API connections.
  • At Rest: All stored data, including declaration records, trade documents, provenance logs, and user credentials, is encrypted using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation.
  • Credentials: User passwords are hashed using bcrypt with per-user salting. Authentication tokens are cryptographically generated and time-limited. API keys are stored encrypted and never logged in plaintext.

2.2 Access Controls

  • Role-Based Access Control (RBAC): Access to Platform functions and data is governed by role assignments adhering to the principle of least privilege. Roles are defined at the organisation, team, and individual level.
  • Multi-Factor Authentication: Required for all user accounts. Administrative and broker-level accounts require hardware token or authenticator app as second factor.
  • Session Management: Sessions are time-limited with automatic expiry after periods of inactivity. Session tokens are invalidated on logout and are not reusable.
  • Administrative Access: Infrastructure and database access is restricted to authorised personnel via bastion hosts with key-based authentication. All administrative sessions are recorded.

2.3 Network Security

  • Network segmentation isolating the Platform, database, and HMRC integration layers
  • Web application firewall (WAF) with custom rule sets for customs-specific attack vectors
  • DDoS mitigation at the network edge
  • Intrusion detection and prevention systems with continuous monitoring
  • Regular external penetration testing by qualified third parties

3. Provenance Layer and Immutable Audit Trails

The Platform’s provenance layer maintains an immutable record of every action taken on every data element throughout the declaration lifecycle. From a security perspective, the provenance layer provides:

  • Complete Attribution: Every data element in every declaration is traceable to its source (document extraction, broker decision, client profile, or derived computation), with timestamp and actor identification
  • Tamper Evidence: Provenance records are append-only. Once sealed at the point of declaration submission, they cannot be modified or deleted. Any attempt to alter historical records is detectable and logged as a security event.
  • Forensic Capability: In the event of a dispute, compliance investigation, or security incident, the provenance layer enables reconstruction of the complete decision chain for any declaration, identifying precisely who provided what data, when, and what transformations were applied.
  • Regulatory Audit Support: The provenance record satisfies HMRC requirements for demonstrating the basis of declaration values and provides a defensible audit trail for customs compliance reviews.

4. Audit Logging

Comprehensive audit logging is maintained across all Platform layers:

  • Authentication events: All login attempts (successful and failed), password changes, MFA enrolment, and session creation/destruction
  • Data access: All reads, writes, and modifications to declaration data, trade documents, and user records, including the identity of the accessor and timestamp
  • Administrative actions: All changes to user roles, permissions, system configuration, and security settings
  • HMRC interactions: All API calls to and responses from HMRC CDS, including submission timestamps, response codes, and MRN allocations
  • Security events: Anomalous access patterns, rate limit violations, failed authentication sequences, and privilege escalation attempts

Audit logs are stored separately from application data, with restricted access limited to security and compliance personnel. Log integrity is protected against tampering through cryptographic chaining.

5. Incident Response

Techport maintains a documented incident response plan aligned with NCSC guidance and HMRC software provider obligations. Our incident response framework includes:

  • Detection: Automated alerting on security events, anomaly detection across access patterns, and continuous monitoring of system integrity
  • Classification: Incidents are classified by severity (Critical, High, Medium, Low) based on data sensitivity, scope of impact, and regulatory implications
  • Containment: Immediate isolation of affected systems, revocation of compromised credentials, and preservation of forensic evidence
  • Eradication: Root cause analysis, remediation of the vulnerability or vector, and verification that the threat has been eliminated
  • Recovery: Controlled restoration of affected services with enhanced monitoring during the recovery period
  • Lessons Learned: Post-incident review, documentation of findings, and implementation of preventive measures

6. HMRC Breach Notification Obligations

As a provider of software connected to HMRC systems, Techport maintains specific obligations regarding the notification of security breaches that may affect customs declaration data or HMRC system integrity:

  • HMRC Notification: Confirmed breaches affecting customs declaration data or HMRC-connected systems will be reported to HMRC within 72 hours of confirmation, in accordance with HMRC software provider requirements
  • ICO Notification: Where a breach involves personal data and is likely to result in a risk to the rights and freedoms of natural persons, the Information Commissioner’s Office will be notified within 72 hours, as required by Article 33 UK GDPR
  • Data Subject Notification: Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, those individuals will be notified without undue delay, as required by Article 34 UK GDPR
  • Affected Customers: Users whose data or declarations may have been affected will be notified promptly with clear information about the nature of the breach, the data involved, and recommended protective actions
  • Regulatory Cooperation: Techport will cooperate fully with any investigation conducted by HMRC, the ICO, or other competent authority in connection with a breach

7. Responsible Disclosure Programme

Techport values the contribution of security researchers and the broader information security community in identifying vulnerabilities that may affect the Platform or its users. We operate a responsible disclosure programme under the following terms:

7.1 Scope

The following are within scope of the disclosure programme:

  • Security vulnerabilities in the Platform application (web interface, API endpoints)
  • Authentication and authorisation bypass vulnerabilities
  • Data exposure or leakage vulnerabilities
  • Injection vulnerabilities (SQL, XSS, command injection, XML external entity)
  • Cryptographic weaknesses in implementation
  • Business logic flaws that could result in unauthorised declaration submission or data access

7.2 Rules of Engagement

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could degrade Platform availability or performance (denial of service, resource exhaustion)
  • Do not attempt to access HMRC systems or data beyond the Platform boundary
  • Do not disclose vulnerability details publicly until Techport has confirmed remediation and agreed to disclosure
  • Conduct research in good faith and in compliance with applicable law

7.3 Reporting

Submit vulnerability reports to technical@techport.uk with the following information:

  • Detailed description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Proof of concept (where possible, without causing harm)
  • Date and time of discovery
  • Your contact details for follow-up communication

7.4 Our Commitments

AcknowledgementWithin 24 hours of report receipt
Initial AssessmentWithin 5 business days
Status UpdatesAt least every 10 business days until resolution
Remediation TargetCritical: 48 hours. High: 7 days. Medium: 30 days.

Techport will not pursue legal action against security researchers who report vulnerabilities in good faith and in accordance with the rules of engagement set out above.

8. Reporting a Security Incident

If you suspect a security incident, data breach, or compromise of your account, report it immediately:

Security Emailtechnical@techport.uk
Phone+44 208 191 0609

When reporting an incident, please provide:

  • Nature of the suspected incident (unauthorised access, data exposure, phishing, account compromise)
  • Date, time, and duration of observed anomalous activity
  • Accounts or data potentially affected
  • Any evidence or indicators of compromise (screenshots, log excerpts, email headers)
  • Actions already taken in response

9. Security Contact Information

CompanyTECHPORT TECHNOLOGIES LTD
Company Number16868193
Security Teamtechnical@techport.uk
General Enquiriesonboarding@techport.uk
Phone+44 208 191 0609
AddressOffice 157 Conductor, 8 Westfield Avenue, London E20 1NW, United Kingdom

10. Related Policies

  • Privacy Policy How we collect, process, and protect personal data
  • Terms and Conditions Governing terms for Platform access and use
Legacy.
Techport Technologies Limited United Kingdom
onboarding@techport.uk

Model

  • Economics
  • Legislation
  • Audit

Evidence

  • 9,250 preparations
  • Architecture
  • Evaluation phases

Company

  • Whitepaper
  • Terms
  • Privacy
  • Security

Access

  • Register
  • Request access
  • Eligibility
© 2026 Techport Technologies Limited. All rights reserved.
Evaluation · Rev. 2026.04 · Admission limited