Data Security

🔒 1. Our Security Commitment

FinSight handles sensitive financial documents on behalf of our clients. We take security extremely seriously and apply industry-standard protections at every layer of the platform.

Security is not an afterthought — it is built into the architecture of the product. This page outlines the specific measures we take to keep your data safe.

🔒 2. Encryption

• In transit: All data transmitted between your browser and FinSight is encrypted using TLS 1.3, the latest and most secure transport layer standard.
• At rest: Database records are encrypted at rest using AES-256 encryption via Supabase.
• Passwords: User passwords are hashed using bcrypt and are never stored or transmitted in plain text.
• Payments: Payment card data is handled exclusively by Stripe, which maintains PCI DSS Level 1 certification — the highest available level.

🔒 3. Document Handling

• Documents are uploaded over HTTPS — encrypted end-to-end in transit.
• Files are passed securely to Anthropic's Claude API for analysis using encrypted API calls.
• Documents are not stored on our servers after analysis is complete. They are processed and immediately discarded.
• Your financial documents are not used to train AI models — Anthropic's enterprise API terms prohibit this.
• Each client's data is strictly isolated — no client can access another client's documents or reports.

🔒 4. Access Controls

• Client access is protected by email and password authentication with minimum password requirements enforced.
• Staff access to the admin portal uses a separate authentication system with role-based permissions (admin vs. staff roles).
• All staff access to client data is logged for audit purposes.
• Session tokens expire after inactivity and on logout.

🔒 5. Infrastructure Security

• Hosting: The application is hosted on Railway, which provides automatic security updates and isolated container environments.
• Database: Supabase is used for data storage with row-level security (RLS) enforced at the database level — ensuring queries can only access the data they are authorised to see.
• Secrets management: API keys, database credentials, and other secrets are stored as encrypted environment variables — never in code or version control.
• Source code: The FinSight codebase is maintained in a private GitHub repository with restricted access.

🔒 6. Payment Security

• All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider.
• FinSight never sees or stores your card number, CVV, or expiry date. Card data goes directly from your browser to Stripe's secure servers.
• Stripe's built-in fraud detection (Stripe Radar) monitors transactions for suspicious activity.
• Subscription management, billing, and refunds are all handled through Stripe's secure infrastructure.

🔒 7. Incident Response

In the event of a security incident involving personal data:

• We will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR.
• Notifications will include: details of the incident, which data was affected, what we are doing to address it, and steps you can take to protect yourself.
• We will notify the relevant Data Protection Authority where required by law.
• A post-incident review will be conducted and any necessary changes made to prevent recurrence.

🔒 8. Vulnerability Reporting

If you discover a security vulnerability in FinSight, we ask that you report it responsibly:

• Email us at [email protected] with the subject line "Security Vulnerability".
• Include a clear description of the vulnerability and steps to reproduce it.
• We will acknowledge your report within 24 hours.
• Please do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.

🔒 9. Third-Party Security

We only work with vendors that maintain strong security standards. Below is a summary of the certifications held by our key partners: