Security and
Privacy by Design

At Finicast, we have committed ourselves to the highest standards of security to deliver trust and assurance to customers.

We strive to continue improving our internal security controls and their effectiveness to give you confidence in our product.
SOC 2 Type 1 - We have successfully achieved SOC 2 Type 1 compliance for the Finicast Software, meeting requirements for the security, availability and confidentiality trust services categories.  The SOC 2 Type 1 report is available to Finicast customers and prospects upon request.

SOC 2 Type 2 - We have partnered up with leading audit firms to continue improving our security and compliance posture.  We are actively pursuing SOC 2 Type 2 compliance and are expected to complete the examination by Fall 2022.

Our compliance roadmap includes GDPR, ISO 27001 and HIPAA.

Access Control

Least Privilege

We apply the principle of least privilege on access controls to ensure that employees are only given the level of access required for their job duties. Additionally, we utilize role-based access control to assign access privileges.


We enable logging on multiple layers to capture user and security events. On top of on-screen notifications, system administrator and operator activity logs are also reviewed on a periodic basis.

User Access Reviews

We perform periodic user access reviews to ensure access to data and critical systems are restricted to authorized personnel.

Availability and Business Continuity


We have redundant architecture is in place to migrate business operations to alternate infrastructure in the event normal processing infrastructure becomes unavailable.

Finicast maintains a publicly available status page which includes details on uptime and system availability, along with any service incidents history and details.

Data Backups

We have an automated backup system configured to perform full backups of data on a daily basis.

Disaster Recovery

We have a comprehensive business continuity and disaster recovery program in place to manage risk associated with business disruptions. The response plans are tested on at least an annual basis to help ensure the recoverability of operations in the event of a disaster.

Data Security

Encryption At Rest

Customer data is stored in encrypted format. Encryption keys are protected during generation, storage, use, and destruction.

Encryption In Transit

Web servers utilize TLS encryption for web communication sessions.  Encrypted VPNs are utilized for remote access for the security and integrity of the data passing over the public network.

Incident Response

We have an extensive incident response workflow built out to ensure that incidents are identified, reported, and resolved in a timely manner.  Various communication channels are also set up to ensure that internal and external parties are able to report incidents to Finicast.

Network Security

DDoS Protection

We have set up multiple layers of defense against DDoS attacks, including IP blacklisting, flood protection, and the use of a hybrid DDoS protection solution.


We have firewall systems in place to filter unauthorized inbound network traffic from the Internet and deny any type of network connection that is not explicitly authorized.

SIEM Monitoring

We have a SIEM application configured to aggregate system logs, and monitor for anomalies that are indicative of malicious acts, natural disasters, and errors.  The application alerts our security and engineering personnel when certain predefined events occur.

Third-Party Penetration Test

We are contracted with a third-party vendor to perform penetration tests on our network and application on an annual basis. Findings identified from the test are tracked through remediation.

Vulnerability Scanning

We have multiple tools configured to run daily and weekly vulnerability scans on our network and application. Alerts are also configured to notify our Security Team for escalation if needed.

Personnel Security

Background Checks

We require all employees to complete background checks as part of the hiring process in accordance with applicable laws and regulations.  This includes personal and professional references, social security verification, employment verification, educational verification, and criminal history.

Confidentiality Agreements

We require all employees and contractors to sign non-disclosure and confidentiality agreements upon hire, agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties.

Security Awareness Training

We require all employees and contractors to complete a series of security awareness training courses upon hire and annually thereafter.  

Physical and Environmental Security

Colocation Providers

Our product is hosted on leading cloud infrastructure and data center providers who enforce strong physical and environmental controls within their facilities to protect network infrastructure.

Office Facility

We have layered physical security controls on-site at our office facility including badge-control access to the building and office suite, video surveillance, and automated locking.

Contact Us

If you have any security or privacy related questions, concerns, or comments, please contact

Michael Marks



Technical ADVISoR & investor

lucas Venture Group