Our Security Approach and Philosophy

At finory, we believe that protecting customer data is an integral part of who we are as an organisation. We maintain an Information Security Management System (ISMS) following internally recognised standards ISO 27001:2013 that protects the confidentiality, availability, and integrity of data.

Our ISMS leverages a host of policies, procedures and tools to prevent unauthorised access to customer data. We have developed information security policies, and updated them at a minimum on an annual basis, on categories such as access control, risk management, change management, incident response, and others.

Securing Our Personnel

Human Resource Security

Finory takes a thorough approach to ensure our organisation maintains strict standards as it pertains to hiring and staffing with the right people. As part of Finory’s approach to personnel security, employees are required to undergo background checks prior to employment. Additionally, employees are required to sign and comply with a code of conduct and the Acceptable Use Policy. Finory conducts formal evaluations for employee performance and consistent alignment with company objectives. Employees that do not comply with our policies are subject to sanction procedures and disciplinary actions.

Security Training Program

Finory maintains an auditable and comprehensive Security Training program to help ensure that employees are aware of and understand the security policies and procedures they are required to abide by. The training consists of information security rules and policies, personal accountability and responsibilities, practical steps such as password security, and how to handle security and privacy-related issues. This training reminds all attendees to abide by Finory’s code of conduct and ISMS compliance.

Keeping Data Secure

Server Hardening

Finory has a documented hardening process for all servers, and software that adheres to the Center for Internet Security (CIS) benchmark. All our systems, including cloud systems, are configured according to these standards. When deploying new servers, we harden the Operating Systems (OS) using steps such as:

Encryption

Finory uses encryption mechanisms to protect our customer’s data. Finory has implemented appropriate safeguards and protocols to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials. Service accounts are regularly audited using Google Cloud Platform’s built-in security tools to ensure they don’t have unnecessary privileges. We use Google Secrets Manager to manage all production keys, and encryption keys. Data transmitted between customers and Finory’s service is protected using TLSv1.2 or higher while Data at rest is encrypted using AES 256-bit encryption within Finory’s systems.

  • Launching new machines in a protected network environment.

  • Restricting user accounts and privileges

  • Using a dedicated service account with the least privilege.

  • Updating packages to receive the latest patches.

  • Automatic Container Scanning for vulnerabilities.

Access Control

Finory is hosted on the Google Cloud Platform and uses the IAM (Identity and Access Management) functionality to manage the users who have access to Finory’s production environment. We ensure that access permissions and authorisations for all systems (including tools, applications, databases, operating systems, hardware, etc.) are managed to incorporate the principles of least privilege and separation of duties. These access privileges are reviewed at least quarterly. We enforce multi-factor authentication with a unique account and user ID with a company-wide password policy that enforces strong passwords. we have an effecting provisioning system applied that enables us to immediately remove user access following termination. All assets assigned to that employee are collected upon termination.

Keeping Our Network Secure

Endpoint Security

Finory does not store customer data on company workstations, laptops, or removable media. Customer data is stored only in the production environment. Company devices are proactively managed throughout the entire device lifecycle via a leading Cloud-based Device Management solution and ensure that all workstations are configured with antivirus and anti-malware, and they are updated daily. Finory employees are not allowed to use mobile devices to perform any Finory related work except customer support who does not have access to finory production systems.

Network Security

Customer data is logically segregated and encrypted at rest and in transit. We follow an industry-standard practice for cloud SaaS providers by using a multi-tenant database. Finory is hosted in Google Cloud Platform (GCP). Physical and environmental security for GCP’s data centres is described in the GCP Security Whitepaper [Google security overview | Documentation | Google Cloud ]. Finory’s production environment uses GCP best practices for network segmentation and for protecting our internet-facing services. Finory utilises security groups and firewalls for added network traffic security.

Other Securities Policies

Data retention and Disposal

Finory maintains explicit policies for data retention and deletion. Data is generally retained indefinitely until a user issues a request via our app to delete the account data. Finory maintains automatic backup for all our data at regular intervals to ensure customer data is not lost due to any technical error. Upon completion of permanent deletion, the data cannot be recovered.

All data are stored on AES 256-bit encrypted secured cloud storage with access permission only to our production server. Statements are removed automatically from our system once parsing is completed. In case, when parsing fails due to any system error, the attachment remains on the server for a maximum of 72 hours for automatic retry and deleted automatically. Finory maintains high availability through multiple availability zones, cross-region replication, and backups.

System Monitoring, Logging, and Alerting

Finory implements extensive monitoring, observability, and alerting in our production environment. We utilise several tools for logging and monitoring purposes, including a SIEM solution. Administrative and security activities in GCP are logged and these logs are stored permanently. Access to the log files is limited to the CTO only. Alerts are configured as part of monitoring any activity. Critical alerts are actioned immediately.

Access Control

Prior to engaging any third-party vendor, Finory evaluates their privacy, security, and confidentiality practices, and executes an agreement implementing its applicable obligations. Vendors are reviewed on a yearly basis. The review considers risk factors such as the sensitivity of data stored in the service, the criticality of Finory’s dependency on the service, and the reputation and history of the service. Finory has policies in place that ensure that all vendors with any access to customer data are at least ISO 27001 or SOC type 2 certified to ensure the security of our customer’s data.