G

V

Your data is safe with Finsweet

Finsweet adheres to strict security standards to ensure the data of our clients, customers, users, and team members is secure.

SOC 2 Type 2 Compliant

SOC 2 (System & Organization Controls) is a compliance framework used to evaluate and validate an organization’s information security practices, particularly in the SaaS industry.

SOC 2 was created by AICPA (American Institute of Certified Public Accountants) as a way to help organization’s verify their security, processing integrity, confidentiality and privacy; thus reducing the risk of a security breach.

3rd-party auditors annually assess Finsweet’s information security against five categories, known as the five Trust Services Criteria (TSC).

If you want to view Finsweet’s SOC 2 Type II report, please submit a request.

Finsweet Information Security Program

Our policies are based on the following foundational principles

Access management

RBAC (role based access control) is implemented to limit access to only those with a legitimate business need and granted based on the principle of least privilege.

Access review

Every team member has a unique login for all business critical systems and 2FA is enforced everywhere possible. Access reviews are conducted for all systems.

Device security

Everyone’s work equipment has Vanta Agent installed, which continually monitors security compliance parameters such as encrypted hard drives, up-to-date OS, active password managers and antivirus software.

Personnel security

Everybody is required to accept the security policies and sign a confidentiality agreement; new hires undergo background checks. Team leaders conduct performance evaluations bi-annually.

Security education

All team members attend at least 1 workshop annually. Every new hire receives a security onboarding session within the first two weeks. Educating our team about Finsweet security standards is an ongoing process throughout the year.

Finsweet Product Security

We follow these policies across all Finsweet products

Security in our cloud service providers

Finsweet’s products are primarily hosted in Vercel and Cloudflare, giving us access to the benefits they provide their customers such as physical security, redundancy, scalability and key management.

User accounts are managed via Auth0, making use of its SSO capabilities to provide a safe and unified login experience across all our products with a single user account.

Security in our products

Each Finsweet product has additional built in security features, depending on the product’s functionalities, like:

  • Role based permissions

  • Backups and versioning

Encryption

Encryption is used throughout Finsweet’s products to protect PII and non-public data from unauthorized access.

All communication between Finsweet product users and the product-provided web application is encrypted-in-transit using TLS while using the application.

All databases and database backups are encrypted at rest.

Data retention

Customers can request all of their data, or have it deleted by following the steps in our Forget me page as long as it is not subject to a legal hold or investigation.

Once an account or project is deleted, all associated data (account settings, etc.) are removed from the system. This action is irreversible.

Customer data privacy

Finsweet stores the following customer data in its cloud:

  • Names
  • Usernames and email addresses
  • Billing Email Address
  • Payment history and invoices (credit card data is stored and processed by Stripe)
  • Phone Number (optional)
  • Billing address
  • Company (optional)
  • Location (city, country) (optional)
  • Personal Website (optional)
  • Referred By (optional person who referred 
user to use a Finsweet product)

Finsweet’s products use a range of third-party service providers to assist with its data processing, customer engagement, and analytic activities.

The type of data that the Subprocessor has access to is limited to only what is reasonably necessary to perform the service provided.

If you’re using Wized, please refer to our Subprocessor page for more information on the list.

Access to data

Customer data is limited to only those with roles that require access to perform their job duties. An example of this is our Support team.

Security scans

Finsweet uses scanning tools to monitor and detect vulnerabilities through Vanta.

Infrastructure availability

Our backend infrastructure is hosted in Vercel and Cloudflare and is fully monitored to detect any downtime.

Check out our Finsweet status page or our Wized status page for more information.

3rd party sub-processors

At Finsweet, we use 3rd party service providers to help with analytics, payments, sending transactional emails and for hosting our service.

All 3rd party services undergo a due diligence check to ensure your data stays secure. The data provided to these services is limited to the minimum required to perform their processing duties.

Responsible disclosure

If you believe you have discovered a vulnerability within a Finsweet product, please submit a report to us by emailing [email protected].

Finsweet does not participate in a public bug bounty program at this time, nor do we provide monetary rewards for publicly reported findings.

If you believe your account has been compromised or you are seeing suspicious activity on your account please report through our Finsweet Products Support page.

Contact

If you need more information regarding security at Finsweet, please submit a request and our team will contact you.

Submit a request