Menu
Your data is safe with Finsweet
Finsweet adheres to strict security standards to ensure the data of our clients, customers, users, and team members is secure.
SOC 2 Type II
Report will available in August 2024
SOC 2 (System & Organization Controls) is a compliance framework used to evaluate and validate an organization’s information security practices, particularly in the SaaS industry.
SOC 2 was created by AICPA (American Institute of Certified Public Accountants) as a way to help organization’s verify their security, processing integrity, confidentiality and privacy; thus reducing the risk of a security breach.
3rd-party auditors annually assess Finsweet’s information security against five categories, known as the five Trust Services Criteria (TSC).
To access Finsweet’s SOC 2 Type II report, please submit a request.
Finsweet Information Security Program
Our policies are based on the following foundational principles:
Access management
RBAC (role based access control) is implemented to limit access to only those with a legitimate business need and granted based on the principle of least privilege.
Access review
Every team member has a unique login for all business critical systems and 2FA is enforced everywhere possible. Access reviews are conducted for all systems.
Device security
Everyone’s work equipment has Vanta Agent installed, which continually monitors security compliance parameters such as encrypted hard drives, up-to-date OS, active password managers and antivirus software.
Personnel security
Everybody is required to accept the security policies and sign a confidentiality agreement; new hires undergo background checks. Team leaders conduct performance evaluations bi-annually.
Security education
All team members attend at least 1 workshop annually. Every new hire receives a security onboarding session within the first two weeks.
Finsweet product security
Security in our cloud service providers
Finsweet’s products are primarily hosted in Vercel and Cloudflare, giving us access to the benefits they provide their customers such as physical security, redundancy, scalability and key management.
User accounts are managed via Auth0, making use of its SSO capabilities to provide a safe and unified login experience across all our products with a single user account.
Security in our products
Each Finsweet product has additional built in security features, depending on the product’s functionalities, like:
- Role based permissions
- Backups and versioning
Customer data privacy
Finsweet stores the following customer data in its cloud:
- Names
- Usernames and email addresses
- Billing Email Address
- Payment history and invoices (credit card data is stored and processed by Stripe)
- Phone Number (optional)
- Billing address
- Company (optional)
- Location (city, country) (optional)
- Personal Website (optional)
- Referred By (optional person who referred user to use a Finsweet product)
Finsweet’s products use a range of third-party service providers to assist with its data processing, customer engagement, and analytic activities. The type of data that the Subprocessor has access to is limited to only what is reasonably necessary to perform the service provided.
If you’re using Wized, please refer to our Subprocessor page for more information on the list.
Encryption
Encryption is used throughout Finsweet’s products to protect PII and non-public data from unauthorized access.
All communication between Finsweet product users and the product-provided web application is encrypted-in-transit using TLS while using the application.
All databases and database backups are encrypted at rest.
Data retention
Customers can request all of their data, or have it deleted by following the steps in our Forget me page as long as it is not subject to a legal hold or investigation.
Once an account or project is deleted, all associated data (account settings, etc.) are removed from the system. This action is irreversible.
Access to data
Customer data is limited to only those with roles that require access to perform their job duties. An example of this is our Support team.
3rd party sub-processors
At Finsweet, we use 3rd party service providers to help with analytics, payments, sending transactional emails and for hosting our service.
All 3rd party services undergo a due diligence check to ensure your data stays secure. The data provided to these services is limited to the minimum required to perform their processing duties.
Infrastructure availability
Our backend infrastructure is hosted in Vercel and Cloudflare and is fully monitored to detect any downtime.
Check out our Finsweet status page or our Wized status page for more information.
Security scans
Finsweet uses scanning tools to monitor and detect vulnerabilities through Vanta.
Responsible disclosure
If you believe you have discovered a vulnerability within a Finsweet product, please submit a report to us by emailing [email protected].
Finsweet does not participate in a public bug bounty program at this time, nor do we provide monetary rewards for publicly reported findings.
If you believe your account has been compromised or you are seeing suspicious activity on your account please report through our Finsweet Products Support page.
Contact
If you need more information regarding security at Finsweet, please submit a request & our team will get in touch with you.