Security Policy

Documentation on Finicom's security policy.

Last Updated: September 29th, 2024
Policies are subject to change.

Introduction

Finicom is a cloud-based, online service that allows users to sync their financial data from their financial institutions, to applications like Google Sheets™, Notion, and more.

The purpose of this document is to outline how we keep Finicom secure. Security is critical for our platform and a top priority for us. If you have any questions, please email [email protected].

Access Control Policy for Production Assets and Data

Finicom is committed to safeguarding the integrity, confidentiality, and availability of its production environment and the sensitive data processed within. Access to production assets and data is governed by a strict access control policy, designed to mitigate unauthorized access risks, protect customer data, and ensure compliance with industry standards and regulations.

1. Access Control Principles

Access to Finicom’s production assets is granted only to authorized personnel who have a legitimate business need for such access. The following key principles govern our approach to access control:

  • Least Privilege: Access to production systems and sensitive data is provided based on the principle of least privilege, ensuring that users are only granted the minimum necessary access required to perform their duties.
  • Role-Based Access: Permissions and access levels are assigned based on predefined roles within the organization. Role definitions include job responsibilities, specific tasks, and required system interactions.
  • Strict Authentication Measures: All access to production environments is protected by strong authentication mechanisms, including the use of multi-factor authentication (MFA).
  • Logging and Monitoring: All access to production systems is logged and monitored continuously to detect and respond to any unauthorized attempts or suspicious activities.

2. Access Request and Authorization Process

  • Requesting Access: Access to production assets and data is initiated through a formal access request process. The request must include justification and is subject to approval by designated administrators or authorized security personnel.
  • Review and Approval: Requests are reviewed on a case-by-case basis, with approvals granted based on the user’s job responsibilities and the principle of least privilege.
  • Periodic Review: All access rights are reviewed on a regular basis to ensure they remain necessary and appropriate. Any unnecessary or outdated access permissions are promptly revoked.

3. Production Environment Security

  • Network Segregation: Finicom’s production environment is segregated from other environments (e.g., development, testing). This ensures that only authorized systems and personnel can interact with production data and resources.
  • Encryption: All data, whether at rest or in transit, is encrypted using industry-standard encryption protocols. Sensitive financial data and user authentication tokens are subject to an additional layer of encryption within the production environment to ensure they remain inaccessible to unauthorized personnel.
  • Remote Access Security: Remote access to production environments is strictly limited and requires secure connections with encryption. All remote access sessions are logged and monitored.

4. Audit and Logging

  • Comprehensive Logging: Finicom maintains comprehensive logging of all server-side activity, including access to production assets. These logs are retained for a minimum of 30 days, ensuring that we can review any access-related incidents or anomalies during that time.
  • Regular Audits: Access logs are subject to regular audits to identify any unauthorized access attempts or suspicious behavior. Any identified incidents are escalated to senior security personnel for immediate investigation.

5. Employee and Contractor Training

  • Security Training: All employees and contractors with access to production systems receive security training to ensure they are aware of and comply with the company’s security policies. This includes understanding access control principles, encryption practices, and the correct procedures for handling sensitive data.

6. Incident Response and Access Revocation

  • Incident Response Plan: Finicom has an incident response plan in place for handling unauthorized access attempts or security breaches. This includes predefined procedures for revoking access, assessing the scope of the breach, and notifying impacted parties.
  • Immediate Revocation: In the event of termination or role changes, access to production assets is revoked immediately to prevent unauthorized use. Access revocation is documented and logged.

7. Third-Party Access

Finicom does not grant third-party access to production environments unless absolutely necessary for operational support or compliance reasons. Any such access is granted through temporary, limited-access, and subject to the same stringent controls and monitoring as internal personnel.

8. Continuous Improvement

Finicom is committed to continuously improving its access control policies and procedures to align with industry best practices and regulatory requirements. Regular security assessments are conducted, and any identified vulnerabilities or gaps in our access control mechanisms are promptly addressed.

Change Controls: Building and Releasing Code Changes to Production Assets

Finicom is committed to ensuring the stability, security, and reliability of its production environment through a structured process for managing and deploying code changes. While Finicom operates in an agile and fast-paced development environment, we maintain strict controls to minimize the risk of introducing errors or vulnerabilities during code changes and releases.

1. Environments Overview

Finicom utilizes multiple environments to isolate and test code changes before they are deployed to production:

  • Local Environment: Developers initially build and test code in their local environment.
  • Staging Environment: Code is deployed to the staging environment for manual testing, ensuring it mirrors production as closely as possible.
  • Production Environment: Once thoroughly reviewed and tested, code is deployed to the production environment, where it is made available to end-users.

2. Code Review and Approval Process

  • Review: All code changes are subject to review to ensure code quality, adherence to coding standards, and to identify potential security or stability risks.
  • Approval Before Deployment: Code cannot be deployed to production without review & approval from an admin.

3. Testing Process

  • Manual Testing in Staging: After code has been deployed to the staging environment, it undergoes a series of manual tests to verify that the changes function as expected and do not introduce regressions or unintended side effects. Automated Testing: Finicom uses and regularly runs automated tests to ensure functionality of our platform works as intended. Production Mirroring in Staging: The staging environment mirrors production as closely as possible, replicating the same configurations and data structures. This helps identify any potential issues before the final deployment to production. Production data is never used in our staging environment.

4. Change Documentation

Version Control: All code is versioned using a robust version control system to ensure that changes can be tracked, reverted, or rolled back if necessary.

5. Deployment to Production

Deployment Process: Deployments to production follow a controlled and documented process. This process includes:

  • Pre-deployment review: A final review of code changes, configurations, and testing before initiating the release.
  • Deployment Automation: Deployments are automated to reduce human error and improve consistency. Finicom uses scripts and deployment tools to ensure repeatable and reliable deployment processes without downtime.

6. Post-Deployment Monitoring

  • Immediate Monitoring: After a deployment, the production environment is closely monitored to ensure that the changes have been successfully applied and that there are no performance degradations, errors, or security concerns.
  • Rollbacks: If any issues are detected post-deployment, Finicom has a rollback process in place to revert to a previous stable version. Rollbacks can be initiated quickly to minimize downtime or user impact.

7. Continuous Improvement

As Finicom grows, the change control process will evolve to incorporate additional best practices, including automated testing and continuous integration (CI). These improvements will help ensure even greater reliability, security, and scalability while supporting the fast pace of development.

Incident Management: Detecting, Triaging, and Resolving Security Incidents

Finicom is committed to rapidly identifying, triaging, and resolving any security incidents that may impact the confidentiality, integrity, or availability of our systems and user data. Given the nature of Finicom’s services, we prioritize swift incident response while maintaining the agility required for startup operations.

1. Defining a Security Incident

A security incident at Finicom is defined as any event or set of circumstances that could potentially result in unauthorized access to, exposure of, or damage to production assets, sensitive user data, or core application services. Examples of incidents include, but are not limited to:

  • Unauthorized Access: Any attempt, successful or not, to gain unauthorized access to production environments or sensitive data (e.g., user tokens, financial transaction data).
  • Data Breach: The actual or suspected leakage, theft, or exposure of any sensitive customer data.
  • System Vulnerabilities: The discovery of software bugs or vulnerabilities that could be exploited to compromise security.
  • Malware or Ransomware: Detection of malware, ransomware, or any unauthorized software in the production environment.
  • Service Disruption: Any event that causes a significant disruption to the availability or performance of Finicom’s services, particularly if it affects user data security or access.
  • Suspicious Activity: Any anomalous behavior detected via monitoring or logging that suggests a possible threat to system security or data integrity.

2. Incident Detection

Finicom employs a combination of proactive monitoring, automated alerts, and log reviews to detect potential security incidents:

  • Real-Time Monitoring: Our systems continuously monitor critical production environments for errors including suspicious activity, unauthorized access attempts, and other potential security threats.
  • Automated Alerts: Alerts are configured to trigger in the event of abnormal system behavior (e.g., failed authentication attempts, unusual data access patterns, or significant performance drops).
  • Log Analysis: All server-side activity, including access logs and changes to production assets, is retained for 30 days and regularly reviewed to identify any unauthorized or unusual actions as needed.

3. Incident Triage

Once a potential incident is detected, it is triaged based on severity and impact:

  • Low Severity: Incidents with minimal or no direct impact on user data or services (e.g., failed login attempts from non-critical users). These are logged, monitored, and may be addressed as part of routine maintenance.
  • Medium Severity: Incidents that could impact system performance or expose potential vulnerabilities (e.g., the discovery of a non-exploited vulnerability or abnormal system behavior). These incidents are addressed promptly, but with less urgency than critical incidents.
  • High Severity (Critical): Incidents that directly impact the confidentiality, integrity, or availability of user data or production systems (e.g., unauthorized access, data breaches, malware attacks). These incidents trigger an immediate response, including system isolation, to contain and mitigate the threat.

4. Incident Response and Resolution

For each incident, Finicom follows a structured response process to ensure quick and effective resolution:

  1. Containment: For critical incidents, the first priority is to contain the threat by isolating affected systems or services. This may include disabling access, revoking user sessions, or temporarily shutting down portions of the service.
  2. Initial Assessment: The incident is assessed to determine the root cause, potential impact, and necessary actions. This includes reviewing system logs, access controls, and any affected data.
  3. Notification (if applicable): If the incident involves a data breach or has the potential to significantly impact users, Finicom will notify affected users and stakeholders as quickly as possible. In the case of regulatory obligations, appropriate authorities will also be notified within the required timeframe.
  4. Mitigation and Recovery: Corrective actions are taken to address the root cause and prevent recurrence. This may involve patching vulnerabilities, revoking compromised credentials, restoring backups, or applying security configurations.
  5. Resolution and Verification: Once mitigated, the incident is closed following a thorough verification process to ensure the issue is fully resolved. The system is returned to normal operation, and any additional monitoring necessary is applied to verify there are no remaining risks.

5. Post-Incident Review

After a medium or high severity incident is resolved, a post-incident review is conducted to assess the effectiveness of the response, identify any process gaps, and implement improvements where necessary:

  • Root Cause Analysis: A detailed review of the incident is conducted to determine its underlying causes, any security weaknesses exploited, and how it was resolved.
  • Lessons Learned: The incident is documented, including lessons learned and any recommended changes to policies, processes, or infrastructure.
  • Process Improvements: Based on the findings, Finicom implements any necessary process or security improvements to prevent future incidents of the same nature.

6. Continuous Monitoring and Improvement

Finicom continually evaluates and improves its incident management processes as part of its commitment to maintaining a secure and resilient service. This includes regular system updates, infrastructure improvements, and employee training in incident response and security best practices.

Data Minimization: Data Deletion and Retention Policy

Finicom is committed to the principle of data minimization, ensuring that only the minimal necessary data is collected, processed, and retained to provide its services. We aim to protect user privacy and comply with applicable data privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), by defining strict policies for data collection, retention, and deletion.

1. Data Collection Policy

Finicom only collects data that is essential to providing its core services. This includes:

  • Personal Information: User credentials (such as name and email address) are collected for account creation, authentication, and communication purposes.
  • Financial Data: Limited financial data, such as transaction details, are temporarily accessed to provide sync services to third-party platforms (e.g., Google Sheets, Notion). This data is never permanently stored by Finicom.

2. Data Retention Policy

Finicom enforces a minimal data retention policy to ensure that user data is not stored longer than necessary to fulfill its intended purpose.

  • Financial Transaction Data: Finicom does not permanently store financial transaction data. All transaction details (including amounts, descriptions, and categories) are deleted immediately after being processed and delivered to the user’s requested third-party platform.
  • Sensitive User Tokens: Any tokens used to access users’ financial institutions are encrypted and stored securely while the user account remains active. Finicom ensures that these tokens are doubly encrypted, and they are never stored in plaintext.
  • Personal Information: User account information, such as name and email, is retained for as long as the user maintains an active account. Upon account deletion, all personal information is permanently removed from our systems in compliance with applicable privacy laws.
  • Audit Logs: Finicom retains server logs, including access and activity logs, for 30 days to support troubleshooting and auditing. After 30 days, these logs are permanently deleted.

3. Data Deletion Policy

Finicom provides users with the ability to request the deletion of their data at any time, in compliance with data privacy laws.

  • User-Initiated Deletion: Users may request deletion of their account or specific data (such as tokens or synced data) by emailing [email protected]. Once a deletion request is received, Finicom will permanently remove the requested data from its systems within 30 days, unless retention is legally required (e.g., for regulatory compliance).
  • Automatic Data Deletion: Finicom automatically deletes financial transaction data immediately after processing and delivery to third-party platforms. This ensures no unnecessary data is retained.
  • Regulatory Compliance: Any data required to be retained by law (e.g., for tax or compliance purposes) will be securely archived for the minimum time required by applicable regulations and then permanently deleted.

4. Data Access and Correction

  • User Access: Users have the right to access their personal data stored by Finicom and request its correction or deletion as per applicable data protection laws.
  • Data Correction: If users identify inaccuracies in their stored personal data, they may request corrections through emailing [email protected]. Finicom will promptly update the data to ensure accuracy and compliance.

5. Compliance with Data Privacy Laws

Finicom adheres to relevant data privacy regulations, including:

  • GDPR (General Data Protection Regulation): Finicom processes user data in compliance with GDPR, ensuring transparency, lawful data processing, and user rights for access, correction, and deletion of data.
  • CCPA (California Consumer Privacy Act): For users residing in California, Finicom complies with the CCPA, allowing users to request the deletion of their data and provides transparency about what data is collected and how it is used.

6. Data Security Measures

To safeguard user data during its limited retention period, Finicom employs the following security measures:

  • Encryption: All sensitive data, including financial data and user tokens, is encrypted both in transit and at rest using industry-leading encryption standards.
  • Access Controls: Access to user data is strictly limited to authorized personnel, and sensitive data (such as financial transaction data and tokens) is doubly encrypted, ensuring it cannot be viewed by employees.

7. Continuous Improvement

Finicom continually reviews and enhances its data minimization practices to adapt to new legal requirements, security best practices, and technological advancements. Our goal is to minimize data exposure while providing secure, reliable services to our users.