Built for the standards UK accountancy firms expect.

Every login is hardened against the patterns that compromise accountancy firms — phishing, credential stuffing and stolen sessions.

• Multi-factor authentication via time-based one-time passwords (TOTP), with eight bcrypt-hashed backup codes issued at enrolment
• Trusted-device cookies remember a verified browser for thirty days and are revoked automatically on password change
• Magic-link passwordless login for clients, with bcrypt-hashed tokens, a ten-minute time-to-live and single-use enforcement
• Login attempts rate-limited to ten per email address per fifteen minutes
• Sessions regenerated on every login and invalidated everywhere the moment a password changes

Granular permissions, not all-or-nothing. Every team member sees exactly what their role requires — nothing more.

• Ninety-seven granular permissions across thirteen domains, enforced server-side on every protected route
• Permission sets compose for each role, with per-user overrides for exceptions
• Two-thousand-plus API endpoints reviewed in a comprehensive scoping audit — no unauthenticated paths
• Frontend guards mirror the backend so users only see actions they are entitled to perform

Your firm's data lives in the United Kingdom, encrypted in transit and at rest, on managed infrastructure operated by Cloudflare and Neon.

• Primary database hosted in the United Kingdom (AWS eu-west-2, London)
• Transport encrypted end-to-end with TLS — database connections require sslmode=require
• Encryption at rest provided by Neon's managed Postgres service
• Sensitive credentials — multi-factor secrets and OAuth tokens — additionally encrypted at the application layer using AES-256-GCM
• File uploads stored in private-prefix Cloudflare R2 buckets, served only via short-lived signed URLs

Defence in depth at the application boundary — headers, sanitisation and signature verification on every external interface.

• Helmet security headers in production: X-Frame-Options, X-Content-Type-Options, HSTS preload-ready, Referrer-Policy
• All HTML rendered through DOMPurify — no unsanitised user input ever reaches the browser
• Database queries parameterised through Drizzle ORM — no raw SQL constructed from user input
• Inbound webhooks verified with HMAC-SHA256 signatures and constant-time comparison
• File uploads bound by content-type allow-list, size limits and filename sanitisation

Every material action leaves a trail. When a regulator, an auditor or a client asks 'what happened?', the answer is one query away.

• Immutable lifecycle history on agreements, approvals and scheduled work
• Domain-specific audit tables for user activity, agreement events, scheduling actions and lifecycle changes
• Every record carries created-by, updated-by and timestamp metadata — no anonymous changes
• Webhook deliveries and external integrations logged for replay and reconciliation

AI is a first-class part of how The Link works — and how it handles your data is a first-class part of how it is engineered.

• Your firm's data is never used to train any model — ours, our providers' or anyone else's
• Anthropic and OpenAI run under enterprise terms with zero retention for model training
• AI calls travel over the same TLS-encrypted transport as the rest of the platform