How we protect your data
Finsbury Suite is built for enterprise procurement teams, compliance officers, and security-conscious buyers. This page documents what we've built, what our infrastructure partners certify, and what we're pursuing next.
What we've built
Verified, specific claims — each one implemented in the codebase.
SHA-256 API Key Hashing
API keys are hashed on creation using SHA-256. Plaintext is shown once, then never stored. Even a database breach exposes no usable keys.
CSRF Protection
Single-use CSRF tokens issued per session, stored in HTTP-only cookies with SameSite=Strict. Validated server-side on every state-changing request.
MFA Enforced
TOTP-based multi-factor authentication available on all accounts. Enterprise plans can enforce org-wide MFA with no opt-out.
SAML 2.0 Enterprise SSO
SAML 2.0 single sign-on with Okta, Azure AD, Google Workspace, and OneLogin. SCIM provisioning for automated user lifecycle management.
Role-Based Access Control
Four roles — Admin, Manager, Member, Viewer — with granular permission boundaries. Shared resources are preserved on offboarding; personal data is not.
UK Data Residency
All company data, financial records, and credit scores are stored and processed within the UK and EU. No cross-Atlantic data transfers for core intelligence.
HSTS + Security Headers
HTTP Strict Transport Security enforced for 1 year across all subdomains. X-Frame-Options, X-Content-Type-Options, and Content Security Policy configured in middleware.
Per-Key Rate Limiting & Quotas
Every API key carries a per-minute token bucket and a daily quota reset at midnight UTC. Violations are logged to an immutable audit trail.
Violation Audit Logging
Failed auth attempts, CSRF violations, and rate limit breaches are logged with IP address, endpoint, and timestamp. Retained for security review.
GDPR Article 17 — Right to Erasure
Self-service account deletion removes all personal data. Full data portability export available on Professional+ plans before deletion.
Infrastructure we're built on
Our core infrastructure partners hold independently audited certifications. When you use Finsbury Suite, your data sits on infrastructure that has passed the same audits enterprise teams require.
Handles all user authentication, MFA, session management, and SAML SSO. Clerk's infrastructure is independently audited to SOC 2 Type II and ISO 27001 standards.
Our primary relational database for company intelligence, financial records, and credit score history. Neon maintains SOC 2 Type II certification with encrypted storage at rest.
All application code is served from Vercel's edge infrastructure, which holds both SOC 2 Type II and ISO 27001 certifications. Secrets are managed in Vercel's encrypted environment vault.
Responsible Disclosure
If you've found a security vulnerability, please report it privately. We commit to acknowledging reports within 48 hours and resolving confirmed vulnerabilities within 30 days.
security@finsburysuite.comPlease do not disclose vulnerabilities publicly until we've had the opportunity to address them.