FM
Sign InGet Started
← Back to Enterprise

Compliance Overview

Security posture and compliance readiness for enterprise review

This page provides an overview of our data protection practices, access controls, audit capabilities, and AI governance posture. Designed to support enterprise security reviews and procurement evaluation.

Security DetailsPrivacy PolicyAI DisclosureSystem Status

Important: Certification Status

FinanceModel is currently working toward formal security certifications (SOC 2 Type II). We do not yet hold these certifications. The information below describes our current security controls and practices. For specific compliance requirements, please contact our team.

Data Protection

How we protect your data at rest and in transit

Encryption

Data at rest encryption

AES-256 encryption for stored data

Active

Data in transit encryption

TLS 1.3 for all network traffic

Active

Key management

Provider-managed encryption keys with rotation

Active

Data Isolation

Tenant isolation

Logical data separation per organization

Active

Row-level security (RLS)

Database-enforced access boundaries

Active

Environment separation

Production isolated from development

Active

Data Handling

Data residency

Data stored in secure cloud infrastructure

Active

Backup & recovery

Regular encrypted backups with retention

Active

Data portability

Full export capability at any time

Active

Access Control

How we manage authentication and authorization

Authentication

Secure user authentication with email/password and social providers

  • Session management with secure tokens
  • Password complexity requirements
  • Account lockout after failed attempts

Authorization

Role-based access control (RBAC) at organization and model level

  • Organization owner, admin, member roles
  • Model-level viewer, editor, owner permissions
  • Granular sharing controls

Session Security

Secure session handling with configurable timeout

  • Automatic session expiration
  • Secure cookie handling
  • Cross-site request forgery protection

Audit & Traceability

Logging, version history, and audit capabilities

CapabilityDescriptionEvidence
User Activity LoggingComprehensive logs of user actions within the platformAudit trail accessible via UI
Model Change HistoryComplete version history of all model changesVersion snapshots with timestamps
Access LoggingLogs of who accessed what data and whenAPI and application logs
AI Interaction LoggingRecord of Finny assistant interactionsConversation history per model

Audit logs are accessible to organization administrators. For detailed audit requirements, please contact our team.

AI Governance

How we handle AI assistance responsibly

Guiding Principles

  • AI assists users but does not make autonomous decisions
  • Users maintain full control over model inputs and outputs
  • AI suggestions require human review before application
  • AI interactions are logged for audit purposes

Data Handling

  • Your data is NOT used to train AI models
  • AI context is limited to current model scope
  • No cross-organization data sharing via AI
  • Users can review AI-suggested changes before applying

Transparency

  • AI-assisted changes are clearly attributed
  • Users can disable AI features if desired
  • AI limitations are documented
  • Full AI disclosure available at /ai-disclosure
Read full AI disclosure

Compliance Alignment

Standards we are aligned with or working toward

Note: "Aligned" means our practices are designed to support these standards. It does not mean we are certified. "In Progress" means we are actively working toward formal certification.

SOC 2 Type II

In Progress

Working toward formal certification. Controls designed with SOC 2 Trust Service Criteria in mind.

ISO 27001

Future Consideration

Information security management practices aligned with ISO 27001 principles.

GDPR

Aligned

Data handling practices designed for GDPR compliance. Data portability and deletion supported.

CCPA

Aligned

California privacy requirements supported through data access and deletion capabilities.

Current Limitations & Out of Scope

To provide accurate expectations, here is what is currently out of scope or not yet available:

  • Enterprise SSO: Not yet available. On product roadmap.
  • SOC 2 Type II Certification: In progress, not yet achieved.
  • HIPAA Compliance: Not currently supported. Not designed for PHI.
  • FedRAMP: Not currently in scope.
  • Custom Data Residency: Not yet available. Data stored in standard cloud regions.

Documentation Updates

We maintain transparency about our compliance posture. Material changes to security controls or compliance status will be communicated through:

  • Updates to this page with revision dates
  • Email notification to organization administrators for significant changes
  • In-app announcements for security-relevant updates

Last updated: January 1, 2026

Security Questions?

Our team can provide additional documentation and answer specific security questions for your evaluation process.

Contact Security Team