F
FinSightBack to home

Legal

Security

Last updated: 1 March 2026

Security is foundational to FinSight. We handle sensitive financial data and take our responsibility to protect it seriously. This page describes the technical and organisational measures we have in place.

1. Data encryption

All data transmitted between your browser, our platform and your ERP is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed using hardware security modules (HSMs) and rotated on a regular schedule.

2. ERP access model

FinSight accesses your ERP data in read-only mode exclusively. We request only the minimum permissions necessary to respond to your queries. We never write to, modify or delete records in your source systems. Connection credentials are stored encrypted and are never exposed in logs or API responses.

3. Authentication and access control

  • Multi-factor authentication (MFA) is available and recommended for all accounts
  • Role-based access control (RBAC) allows organisations to limit which users can access which data
  • All sessions are time-limited and invalidated on logout
  • Failed login attempts trigger account lockout after a configurable threshold
  • Access logs are retained for audit purposes

4. Infrastructure security

FinSight is hosted on enterprise-grade cloud infrastructure in the European Union. Our infrastructure is:

  • Isolated per customer using logical separation
  • Protected by network firewalls and intrusion detection systems
  • Monitored 24/7 for anomalous activity
  • Backed up continuously with point-in-time recovery
  • Deployed across multiple availability zones for resilience

5. AI and data isolation

Your ERP data and query history are strictly isolated from other customers. When queries are sent to AI inference APIs, they are anonymised — no organisation identifiers, user names or raw ERP records are included in model inputs. We do not use your data to train shared AI models.

6. Application security

  • All code changes go through peer review before deployment
  • We perform automated vulnerability scanning on every build
  • Dependencies are monitored for known vulnerabilities and updated regularly
  • Input validation and output sanitisation are enforced throughout the platform
  • We follow OWASP secure development guidelines

7. Incident response

In the event of a security incident affecting your data, we will notify you within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Our incident response team is on call around the clock.

8. Compliance

FinSight is designed and operated to comply with:

  • General Data Protection Regulation (GDPR)
  • EU data residency requirements — all data remains within the EU

We are working towards SOC 2 Type II certification. Documentation on our controls is available to enterprise customers under NDA.

9. Responsible disclosure

If you discover a potential security vulnerability in FinSight, we ask that you report it to us responsibly before making it public. Please email security@finsight.ai with details. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.

We do not take legal action against researchers who follow responsible disclosure practices.

10. Contact

For security-related questions or to report a vulnerability, contact security@finsight.ai.