Privacy by Design
We strive to continue improving our internal security controls and their effectiveness to give you confidence in our product.
SOC 2 Type 2 - We have partnered up with leading audit firms to continue improving our security and compliance posture. We are actively pursuing SOC 2 Type 2 compliance and are expected to complete the examination by Fall 2022.
Our compliance roadmap includes GDPR, ISO 27001 and HIPAA.
We apply the principle of least privilege on access controls to ensure that employees are only given the level of access required for their job duties. Additionally, we utilize role-based access control to assign access privileges.
We enable logging on multiple layers to capture user and security events. On top of on-screen notifications, system administrator and operator activity logs are also reviewed on a periodic basis.
User Access Reviews
We perform periodic user access reviews to ensure access to data and critical systems are restricted to authorized personnel.
Availability and Business Continuity
We have redundant architecture is in place to migrate business operations to alternate infrastructure in the event normal processing infrastructure becomes unavailable.
Finicast maintains a publicly available status page which includes details on uptime and system availability, along with any service incidents history and details.
We have an automated backup system configured to perform full backups of data on a daily basis.
We have a comprehensive business continuity and disaster recovery program in place to manage risk associated with business disruptions. The response plans are tested on at least an annual basis to help ensure the recoverability of operations in the event of a disaster.
Encryption At Rest
Customer data is stored in encrypted format. Encryption keys are protected during generation, storage, use, and destruction.
Encryption In Transit
Web servers utilize TLS encryption for web communication sessions. Encrypted VPNs are utilized for remote access for the security and integrity of the data passing over the public network.
We have an extensive incident response workflow built out to ensure that incidents are identified, reported, and resolved in a timely manner. Various communication channels are also set up to ensure that internal and external parties are able to report incidents to Finicast.
We have set up multiple layers of defense against DDoS attacks, including IP blacklisting, flood protection, and the use of a hybrid DDoS protection solution.
We have firewall systems in place to filter unauthorized inbound network traffic from the Internet and deny any type of network connection that is not explicitly authorized.
We have a SIEM application configured to aggregate system logs, and monitor for anomalies that are indicative of malicious acts, natural disasters, and errors. The application alerts our security and engineering personnel when certain predefined events occur.
Third-Party Penetration Test
We are contracted with a third-party vendor to perform penetration tests on our network and application on an annual basis. Findings identified from the test are tracked through remediation.
We have multiple tools configured to run daily and weekly vulnerability scans on our network and application. Alerts are also configured to notify our Security Team for escalation if needed.
We require all employees to complete background checks as part of the hiring process in accordance with applicable laws and regulations. This includes personal and professional references, social security verification, employment verification, educational verification, and criminal history.
We require all employees and contractors to sign non-disclosure and confidentiality agreements upon hire, agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties.
Security Awareness Training
We require all employees and contractors to complete a series of security awareness training courses upon hire and annually thereafter.
Physical and Environmental Security
Our product is hosted on leading cloud infrastructure and data center providers who enforce strong physical and environmental controls within their facilities to protect network infrastructure.
We have layered physical security controls on-site at our office facility including badge-control access to the building and office suite, video surveillance, and automated locking.