How we protect your data

Our security posture, compliance commitments, and how to report a vulnerability. Enterprise customers may request security documentation.

What we've built

Verified implementation.

API Key Security

Hashed. Never stored.

CSRF Protection

Server-side validation. Industry-standard security flags.

Multi-Factor Authentication

Available on all accounts. Enterprise can enforce org-wide MFA with no opt-out.

Enterprise SSO

SAML 2.0 single sign-on and SCIM provisioning for automated user lifecycle management for Enterprise.

Role-Based Access Control

Granular permission boundaries. Preserved shared resources on offboarding; personal data is erased.

UK Data Residency

All company data, financial records, and credit scores are stored and processed within the UK and EU. No global data transfers for core intelligence.

Secure Transport & Headers

Enforced across all subdomains. Configured at the application layer.

Per-Key Rate Limiting & Quotas

Per-minute quotas with resets. Violations are logged to an immutable audit.

Audit Logging

Logged violations, retained for review.

GDPR Article 17 — Right to Erasure

Self-service account deletion removes all personal data. Full data portability export available on Professional+ plans before deletion.

Infrastructure posture

Finsbury Suite is built on infrastructure that meets enterprise-grade compliance standards. Specific provider details are available to enterprise customers under NDA.

SOC 2 Type II

Our core infrastructure providers hold SOC 2 Type II certification, independently audited.

ISO 27001

Key infrastructure components are ISO 27001 certified for information security management.

UK & EU Data Residency

Data is stored and processed within UK and EU boundaries. No global transfers for core services.

Encryption at Rest & in Transit

All data is encrypted at rest and in transit. Secrets are managed through dedicated secrets management infrastructure.

Responsible Disclosure

Found a vulnerability? We commit to acknowledging reports within 72 hours and resolving confirmed issues within 30 days.

If you've found a security vulnerability, please report it privately. Please do not disclose vulnerabilities publicly until we've had the opportunity to address them.

security@finsburysuite.com
Privacy PolicyTerms of ServiceCredit Score Methodology