Security & Privacy FAQs
1. Does Finicast have an information security program?
Yes, Finicast maintains an information security program, along with a list of policies and procedures covering control areas such as Access Control, Data Classification, Risk Management, Incident Response, Business Continuity and Disaster Recovery, and Security Monitoring.
2. Does Finicast have an incident response plan?
Yes, Finicast maintains an incident response plan that details the roles and responsibilities, workflows, investigation and escalation procedures, communication plan, and post-mortem requirements.
3. Does Finicast undergo any third-party security assessments?
Yes, Finicast engages with a third-party vendor to conduct penetration tests on our network and application. You may find third party reports in our Customer Assurance Package.
1. Is Finicast’s information security program aligned with industry standards?
Yes, Finicast’s information security program is aligned with industry standards and best practices. Our control set is developed and updated to meet the requirements from most security frameworks and certifications.
2. Does Finicast hold any third party compliance attestations or certifications?
Yes, Finicast is SOC 2 Type 2 and HIPAA compliant. Finicast also maintains the ISO 27001 Certification. To obtain a copy of our compliance documentation, please request to download our Customer Assurance Package.
1. Where is my data hosted?
Finicast Platform is web hosted with storage and backups located in the United States.
2. What are subprocessors?
Subprocessors are any third parties that provide services on Finicast’s behalf or that help us to operate the Service, which may involve access to customer or potential customer data. A current list of subprocessors for Finicast is found here.
4. Can I choose not to accept cookies?
Yes, users have the right and ability to accept or deny cookies. If denied, then a single cookie stores your preference only. You may change your cookie preferences at any time by clicking the link at the bottom of each Finicast webpage.
5. Does Finicast collect my personal information?
6. How does Finicast protect my personal information?
Finicast employs various administrative and technical safeguards to ensure that customers’ personal information is protected. Data is encrypted at rest and in transit.
7. If I end my relationship with Finicast, what happens to my data?
Under data protection laws, you always own and control your own data. While you interact with Finicast’s website and platform, you consent to Finicast’s processing of the data that you enter into Finicast. However, should you decide to abandon or terminate your Finicast account, please notify us to obtain confirmation of secure data disposal. You may also request data deletion or anonymization at any time by filling out a data subject request (“DSR”) here. For customers under a Master Services Agreement, Finicast accommodates account access for another 30 days past termination to allow customers to extract or transition data.
8. What data protection laws does Finicast comply with?
Finicast has engaged subject matter experts at Cooley LLP to research and to inform our policies on data privacy and protection. Our Data Processing Addendum (“DPA”) has been carefully drafted to take into account Finicast’s technical and operational faculties, as well as the most current regulatory guidelines in jurisdictions where we have engaged commercially: the EU, the U.S. (including California, Colorado), and more. We keep apprised of legal developments across the globe where our customers are. If you are curious about Finicast’s compliance with a specific industry or geographic regulation, please contact us.
9. Will Finicast sign my company’s agreements (Data Processing Addendum, Business Associates Agreement), Standard Contractual Clauses (SCCs), or Model Clauses?
Finicast’s DPA incorporates the updated SCCs published by the European Commission on June 7, 2021. We ensure best practices through consultation with subject matter experts at Cooley LLP, Osano Inc., and other data privacy vendors. Applying Finicast’s DPA universally across all user accounts allows Finicast to better surveille our own compliance. Still, we are committed to our customers’ success, including supporting you on your compliance journeys and what additional documents that may involve.
Having achieved HIPAA Type 1 certification, Finicast supports our customers in complying with HIPAA and is happy to provide our business associate agreement, which is based on the requirements promulgated by the Department of Health & Human Services. We are committed to supporting our customers’ success and compliance initiatives, and would gladly discuss your templates.
Please reach out to us if you have any specific questions.
10. Will Finicast fulfill or assist in data subject requests (DSR)?
Under data protection laws, you always own and control your own data. While you interact with Finicast’s website and platform, you consent to Finicast acting as a “processor” of the data that you enter into Finicast. As explained in our DPA, we will report and assist with any DSR that we receive on your behalf by individuals. Finicast will directly fulfill DSRs that we receive from verified owners of data.