Your Financial Data.
Our Highest Priority.

FinTel was built by a CFA and fractional CFO who handles sensitive financial data every day. Security isn't an afterthought -- it's foundational. This page documents exactly how we protect your data, who can access it, and how our AI handles it. No vague promises.

🔒 AES-256 Encryption at Rest 🛡️ TLS 1.3 in Transit 🔑 TOTP Multi-Factor Auth 🏛️ US Data Residency ⚙️ SOC 2 in Preparation

On This Page

  1. Data Protection -- Encryption, Isolation, Residency
  2. Authentication & Access Control
  3. AI & Data Privacy -- Most asked
  4. Infrastructure Security
  5. Compliance & Certifications
  6. Operational Security
  7. Data Room Security
  8. Security Contact & Reporting
  9. FAQ
Section 1

How We Protect Your Data

All financial data in FinTel is encrypted in transit and at rest, logically isolated per tenant, and stored exclusively in the United States.

🔒 Encryption
  • All data encrypted in transit using TLS 1.3
  • All data encrypted at rest using AES-256
  • Database connections encrypted via SSL
  • File uploads encrypted before storage
  • Backup data encrypted with separate encryption keys
🏗️ Data Isolation
  • Every client's financial data is logically isolated at the database level
  • CFO users can only access their own clients
  • Portal users can only access their own company
  • No cross-tenant data access is possible -- queries are scoped by user and client ID at every layer
  • Demo data is completely isolated from production data
🇺🇸 Data Residency
  • All data stored in the United States
  • No data is transferred outside the US
  • Infrastructure hosted via Cloudflare (global CDN, US origin)
Section 2

Authentication & Access Control

Who can access what -- and how we verify it. Every endpoint enforces role and scope checks; there is no client-side-only authorization.

🔑 Authentication
  • Email + password authentication with bcrypt hashing (cost factor 12)
  • Multi-factor authentication (MFA) via authenticator app (TOTP)
  • MFA required for all admin users
  • MFA available (and strongly recommended) for all CFO and portal users
  • Session tokens with configurable expiration (default: 24 hours; data room: 30 minutes)
  • Automatic session timeout after inactivity
  • Account lockout after 5 failed login attempts (15-minute cooldown)
👤 Role-Based Access Control (RBAC)
  • Admin: Full platform access, user management, system configuration
  • CFO: Access to their clients only, full planning / reporting / transactions
  • Portal User: Access to their company only, read-only on most features, limited AI chat
  • Data Room User: Access to permitted folders/files only, per the invitation permissions
  • Every API endpoint enforces role and scope checks -- no client-side-only authorization
⚙️ API Security
  • All API endpoints require authentication
  • Rate limiting on all endpoints (configurable per route)
  • Input validation and sanitization on all user inputs
  • SQL injection prevention via parameterized queries (pg library)
  • XSS prevention via output encoding
  • CSRF protection on all state-changing endpoints
Section 3 -- Most Asked

How AI Handles Your Data

This is the #1 question prospects ask. Here is the full, unambiguous answer.

"Your data is never used to train AI models. This is contractually guaranteed by our AI provider's terms of service. The AI only sees data when you explicitly use an AI feature -- and only the data relevant to that specific request."

AI Data Handling -- The Technical Details

  • FinTel uses AI models via API -- not self-hosted training
  • Your financial data is sent to the AI only when you use AI features (chat, report generation, forecasting, document analysis)
  • Your data is NEVER used to train AI models -- contractually guaranteed
  • AI conversations and responses are stored in your FinTel database, not on the AI provider's servers
  • No AI provider has persistent access to your data -- each request is stateless
  • AI requests are scoped to the specific client context -- the AI cannot access other clients' data in a single request (except Portfolio Chat, which is explicitly CFO-only and designed for cross-client queries)

What we send to AI

  • Financial data relevant to the specific query (P&L line items, balance sheet, cash flow)
  • Document content when you ask about a document
  • Institutional memory summaries for context
  • Conversation history for the current chat session

What we NEVER send to AI

  • Passwords or authentication credentials
  • Full database exports
  • Data from other CFOs' clients
  • Raw personally identifiable information (SSNs, bank account numbers)
🤝 AI Provider Standards
  • We use enterprise-tier AI APIs with data processing agreements (DPAs) in place
  • Zero data retention on the AI provider side -- data is not logged or stored after the response is generated
  • We do not publicly name our specific AI provider for security reasons, but we can share details under NDA
📋 Audit & Transparency
  • All AI requests are logged with user ID, timestamp, client context, and token counts
  • CFOs can review what data was sent in any AI interaction via the audit log
  • AI features can be disabled per client or per user by the CFO administrator
Section 4

Built Secure From the Ground Up

Every layer of the FinTel stack -- network, application, database, and monitoring -- is hardened by design.

🌐 Network Security
  • All traffic routed through Cloudflare (DDoS protection, WAF, bot management)
  • Origin server not directly accessible from the public internet
  • Cloudflare Tunnel eliminates exposed ports -- no open inbound connections
  • HTTPS enforced on all connections (HSTS enabled)
  • DNS managed through Cloudflare with DNSSEC
🛡️ Application Security
  • Express.js backend with helmet.js security headers
  • Content Security Policy (CSP) enforced
  • Strict CORS policy -- only allowed origins can make API requests
  • Dependency scanning for known vulnerabilities (npm audit)
  • No secrets or credentials in code -- all sensitive values in environment variables
🗄️ Database Security
  • PostgreSQL 16 with SSL-encrypted connections
  • Database not accessible from the public internet
  • Strong password policy on all database accounts
  • Regular automated backups (daily) with encryption
  • Point-in-time recovery capability
  • Database user with minimal required privileges (principle of least privilege)
📊 Monitoring & Logging
  • All authentication events logged (login, logout, failed attempts, MFA events)
  • All data access logged (who accessed which client's data, when)
  • All admin actions logged (user creation, permission changes, configuration changes)
  • Anomaly detection on login patterns (unusual IP, time, geography)
  • Log retention: 90 days minimum
  • Logs stored separately from application data
Section 5

Our Compliance Journey

We are building to enterprise compliance standards from day one. Here is where we stand today.

SOC 2 Type I
⏳ In Preparation
Target completion: Q4 2026. Trust Services Criteria: Security, Confidentiality, Availability. We can share our current security documentation and controls under NDA.
CCPA
✅ Compliant
California Consumer Privacy Act. Users can request data export or deletion at any time. We do not sell, share, or monetize user data. No ads or third-party tracking in the product.
PCI DSS
✅ Stripe Handles This
FinTel does not hold, process, or transmit payment card data. Billing is handled by Stripe, which is PCI DSS Level 1 certified.
Accounting Platform Integration
✅ OAuth 2.0
We never see or store your accounting platform password. The integration uses OAuth 2.0 with encrypted token storage. API integrations use token-based authentication throughout.
📄 Privacy Policy
  • Privacy policy available at /privacy
  • We do not sell, share, or monetize user data
  • We do not display ads or allow third-party tracking in the product
  • Users can request data export or deletion at any time
Section 6

How We Operate

The processes behind the technology: incident response, business continuity, and change management.

🚨 Incident Response
  • Documented incident response plan with severity classification (P1–P4)
  • P1 (data breach/loss): response within 1 hour, customer notification within 24 hours
  • Post-incident review and root cause analysis for all P1/P2 incidents
  • Security contact: [email protected]
♻️ Business Continuity
  • Automated daily backups with off-site storage
  • Tested disaster recovery procedures
  • Target Recovery Time Objective (RTO): 4 hours
  • Target Recovery Point Objective (RPO): 24 hours (daily backups)
  • Cloudflare CDN provides global availability and failover
📝 Change Management
  • All code changes reviewed before deployment
  • Staging environment for testing before production
  • Database migrations tested in staging before production
  • Rollback procedures documented for all deployments
Section 7

Deal-Grade Security for Your Data Room

FinTel's transaction data room is built to the security standards that M&A advisors, investment bankers, and acquirers expect.

🖊️ Document Controls
  • Dynamic watermarking on all viewed documents (viewer's name, email, timestamp)
  • No data room content indexed by search engines
  • NDA acceptance required before first access
  • Q&A workflow with approval before responses are visible to external users
🔐 Granular Permissions
  • Permission levels: Full / Download / View Only / Restricted View / No Access
  • Configurable per user, per group, per folder, per document
  • Revocable access -- remove a user's access instantly
  • IP restriction capability (whitelist specific IP ranges)
📋 Audit & Access
  • MFA required for all external data room users
  • Session timeout: 30 minutes (configurable)
  • Full audit trail: who viewed what, when, how long, from which IP
Section 8

Report a Security Concern

If you discover a vulnerability or have a security question, contact us. We respond to all reports within 24 hours.

🚨 Security Vulnerabilities

✉️ Report to: [email protected]
⏱️ Response time: within 24 hours for all security reports

We take all reports seriously and will work with you to understand and resolve the issue promptly. Responsible disclosure is appreciated.

📄 Security Documentation & NDA

✉️ Contact: [email protected]
📋 Available under NDA: security policies, infrastructure documentation, SOC 2 readiness materials

For general security questions or to request our full security documentation package, contact Mike directly.

Section 9

Security FAQ

Answers to the questions your compliance team will ask.

We are actively preparing for SOC 2 Type I certification targeting Q4 2026. We can share our current security documentation and controls under NDA. Our infrastructure and practices are being built to SOC 2 standards from day one -- we are not retrofitting compliance after the fact.
No. AI only processes data when you explicitly use an AI feature (chat, report generation, forecasting). Each request sends only the relevant context for that specific query. Your data is never used to train AI models, and the AI provider does not retain your data after generating a response. See Section 3 for full details.
All data is stored in the United States. Our database and file storage are US-based. Traffic is routed through Cloudflare's global network but the origin server and all data storage are in the US. No data is transferred outside the US.
Absolutely not. Every database query is scoped to your user account and your clients. There is no mechanism for one CFO to access another CFO's data. The database enforces tenant isolation at every layer -- it is not just an application-level check.
You can export all your data at any time. Upon cancellation, your data is retained for 30 days (in case you change your mind), then permanently deleted. You can request immediate deletion at any time by contacting us.
FinTel is not designed for HIPAA-protected health information. However, if your use case involves health-related financial data, contact us at [email protected] to discuss appropriate safeguards.
Yes. We can share our security policies, infrastructure documentation, and SOC 2 readiness materials under NDA. Email [email protected] and we will set it up.