Legal Last updated April 16, 2026

Security

How FA Finance protects customer data, our security program, subprocessors, and how to report a vulnerability.

Finance data is sensitive. FA Finance is built so that the protection, auditability and confidentiality of customer data are primary design goals, not afterthoughts. This page summarises our security program and how to get in touch.

Reporting a vulnerability

If you believe you have found a security issue affecting FA Finance, please email security@fafinance.net. Include the steps to reproduce and any supporting material. We aim to acknowledge reports within 2 business days.

We ask that researchers:

  • Give us a reasonable time to investigate and remediate before public disclosure.
  • Do not access, modify, or destroy data that is not your own.
  • Do not run denial-of-service, spam, or social-engineering attacks.
  • Stay within the scope of fafinance.net and the product under your own account.

We will not pursue legal action against researchers acting in good faith and within this policy.

Encryption

  • In transit: TLS 1.2+ for all public endpoints, with modern cipher suites and HSTS.
  • At rest: AES-256 for application databases, object storage and backups.
  • Secrets management: credentials and API keys are stored in a dedicated secret manager, never in source code.

Authentication and access control

  • Customer authentication supports email + password and SSO.
  • Passwords are stored salted and hashed; we never see or store plaintext passwords.
  • Role-based access controls limit what each user can see and do inside a workspace.
  • Internal access to production systems is restricted to a small number of engineers, requires SSO with multi-factor authentication, and is logged.

Infrastructure

  • Hosted on reputable EU-region cloud providers with ISO 27001, SOC 2 and GDPR-aligned certifications.
  • Customer data is stored primarily in the EU/EEA.
  • Networks use private subnets, security groups and least-privilege IAM.
  • Deployments go through automated pipelines with code review and static analysis.

AI and model use

  • Customer data is not used to train third-party foundation models. Our contracts with AI providers prohibit such training on customer data.
  • Agent actions are auditable; every material action is logged with the underlying reasoning and the data it used.
  • Humans remain in the loop for approvals, exceptions and anything that materially affects your books.

Subprocessors

We rely on a short, deliberately chosen list of subprocessors for cloud infrastructure, authentication, payment processing, AI model hosting, and customer support. Each is covered by a written data processing agreement meeting GDPR Article 28. A current list is available on request from privacy@fafinance.net.

Monitoring, logging and backups

  • Centralised application and infrastructure logs with alerting on anomalous activity.
  • Automated, encrypted backups of production databases, with periodic restore tests.
  • Security-relevant events (authentication, permission changes, data export) are retained for audit.

Incident response

We maintain an incident response plan covering detection, triage, containment, remediation and post-mortem. If a personal-data breach affects your organisation, we will notify you without undue delay and in any event within the timelines required by the GDPR.

Business continuity

Production workloads run across multiple availability zones. We maintain documented recovery objectives and test our backup and failover procedures.

Vendor and supply-chain security

We review subprocessors before engagement and on a recurring basis, and track software dependencies with automated vulnerability scanning. Dependencies are kept up to date and security-patched on a regular cadence.

Employee security

  • All employees sign confidentiality agreements and complete security awareness training.
  • Laptops are managed, encrypted and require screen lock.
  • Access to customer data is granted on a need-to-know basis and revoked on offboarding.

Compliance roadmap

FA Finance is GDPR-compliant by design. We are working towards formal SOC 2 Type II and ISO 27001 attestations. Contact security@fafinance.net for current status and security questionnaires.

Contact

Security reports and questions: security@fafinance.net
Privacy and data subject requests: privacy@fafinance.net