Stripe Live, Infrastructure Hardening, Security Audit Automation
Stripe Live
SpeyBooks is now processing live payments. Customers can subscribe to Sole Trader (£15/month) or Limited Company (£25/month) plans directly from billing settings. Subscription lifecycle (checkout completion, plan activation, cancellation, and trial expiry) is driven by Stripe webhook events, with delivery confirmed end to end.
Fix: A provisioning defect caused registration to fail with a generic error for new signups. Resolved; new organisations are created cleanly with correct defaults.
Fix: A configuration issue prevented Stripe webhook delivery. Corrected, and delivery confirmed end to end.
Fix: The billing settings page showed placeholder example invoices and out-of-date plan prices. Invoices now link to the Stripe billing portal, and prices display correctly at £15.00 and £25.00.
Fix: Days remaining in the trial are now shown dynamically in billing settings rather than as fixed copy.
Fix: Duplicate plan status badge removed from billing settings.
Security Test Harness 2.0
The Security Test Harness has been rebuilt and automated following the infrastructure migration. 21 modules run weekly across six areas: firewall and network, secrets and configuration, patch management, access control, malware and services, and operations.
Each run publishes a public audit report to the Insights section and updates the footer trust strip with the current grade, module count, and audit date. The trust strip Audit link now points to the most recent published report.
The first automated run confirmed the expected posture: row-level security enabled and enforced across all tenant tables, hardened SSH access, legacy TLS versions rejected, intrusion-ban protection active, and all SpeyBooks SSL certificates valid.
Current grade: A (100%), 21/21 modules passing.
SSL Certificate Renewal Rebuilt
Following the infrastructure migration, certificate auto-renewal was found to be broken. All certificates have been re-issued with the correct renewal structure, and automatic renewal is confirmed working by dry run.
Legal Entity and Data Residency
All customer-facing pages, legal documents, RSS feeds, and structured data now reflect the correct legal entity (Spey Systems Ltd, SC889983) and infrastructure (Hetzner, Germany EU; encrypted backups in AWS London, eu-west-2). An ICO registration application has been submitted (reference C1951874); the registration number will appear in the footer when issued.
The security@speybooks.com address is now live as the dedicated security contact across all pages and security.txt files.
Infrastructure
A private disaster recovery repository now holds the full infrastructure configuration alongside a complete server provisioning runbook.
The GPG signing key has moved to william@speysystems.com and is published to keys.openpgp.org.
The web server now rejects requests for unrecognised hostnames, closing a minor information disclosure surface.
Known Issues
- VAT registration status cannot be declared at signup. VAT-registered users should update their settings after onboarding. A VAT setup prompt in the onboarding flow is planned.
- The registration page footer still shows “UK-hosted”; this will be corrected in the next marketing site deploy.
- support@speybooks.com appears in one location in the Stripe billing portal email chain; this will clear when the custom domain verification completes.