Security Policy

Information security is a top priority.
GDPR CertificateMiFID II CertificateData Privacy Framework CertificateAICPA SOC 2 Certificate

Security is a top priority at Finsight. This page describes the measures we take to protect your data from unauthorized access, disclosure, and loss.

Culture of Security

All Finsight employees undergo background checks prior to employment and are trained on security best practices during company onboarding and on an annual basis. We have security policy for ensuring the integrity, confidentiality, and availability of customer data and protecting customer data against any unauthorized or unlawful acquisition, access, use, disclosure, or destruction. Our security team is involved throughout our development and operations processes to ensure we bake security into the product, environment, and culture.

Security is directed by Finsight’s Chief Technology Officer and Chief Operating Officer and maintained by Finsight’s Security Operations team.

Vulnerability Disclosure

If you have a security concern or wish to report a vulnerability in our product, please email us at security@finsight.com. All information is kept confidential and we will work with you to make sure we understand the issue and address it as quickly as possible.

Compliance and Certification

SOC 2 Certified

Finsight completes a SOC 2 Type II certification annually. The SOC 2 Type II report provides assurance to our clients that we have designed effective security controls as defined by the SOC 2 standards set forth by the American Institute of Certified Public Accountants (AICPA). A copy of the report is available under NDA. Please reach out to security@finsight.com to request a copy.

Data Privacy Framework Certified

For personal information that we receive from the European Union, Finsight has certified its compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the EU countries. We have certified that we adhere to the Data Privacy Framework of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity & Purpose Limitation and Recourse, Enforcement Liability when processing personal information from the EU in the U.S.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

GDPR Compliance

Finsight is committed to ongoing GDPR compliance. Finsight will execute a Data Processing Agreement (DPA) with clients, which pertains to how Finsight uses and protects Personal Data acting in the Processor Role. For more information, please contact privacy@finsight.com.

MiFID II Compliance

Under MiFID II, the European Securities & Markets Authority (ESMA) requires firms to have systems in place to accurately track all interactions such that a “national competent authority” can readily access and reconstitute each stage of the transaction process (and identify any corrections or amendments). Corporates are largely exempt from MiFID II unless they actively engage in derivatives (outside of hedging) or other broad capital market activities within the EU.

We ensure MiFID II compliance by providing:

  • Instant, seamless and immutable record retention of all information shared with investors including logins, document shared/downloaded and location of access
  • Free and unlimited access to historical data for unlimited authorized internal & external stakeholders
  • Ability to self-generate analytical reports
  • Minimum 7 year data retention

Rule 433 Compliance

Since January of 2013, Finsight has worked with the Staff of the Division of Trading and Markets of the Securities and Exchange Commission (“SEC”) to ensure that our products and services adhere to Rule 433 of the Securities Offering Reform of 2005 with respect to the transmission of electronic road shows in connection with public and private offerings of securities.

In May of 2013, the SEC informed Deal Roadshow that a “no-action” letter would not be necessary in light of the clarifications provided by the 2005 Securities Offering Reform as well as the similarities of our products and services with other market participants for which no-action letters have already been issued. The SEC’s conclusion that the Deal Roadshow products and services are covered by the 2005 Securities Offering Reform and other no-action letters affirmatively resolves the issue of whether or not our electronic roadshow solution and related products and services complies with the provisions of Rule 433.

Relevant links:

Asset Management

Finsight’ data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. Finsight authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by Finsight security policies.

This Security Statement is aimed at providing you with more information about our security infrastructure and practices. Our privacy policy contains more information on how we handle data that we collect.

Background Checks

Finsight conducts background checks for all new hires via Checkr, including verification on the following:

  • Identity verification
  • Sex offender registry check
  • Global watchlist check
  • National criminal records check
  • County criminal records check

Business Continuity and Disaster Recovery

Business Continuity

Finsight keeps real-time mirrored and encrypted backups of data in multiple regions on Amazon AWS. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Data Security and Backups

All client data is written to multiple disks instantly in multiple geographically distinct data centers. We use a minimum of three different data centers to store all client data.

Disaster Recovery

In the event of a region-wide outage, Finsight will bring up a duplicate environment in a different Amazon AWS region. The Finsight operations team performs annual Disaster Recovery testing. Details and results of this testing can be provided to clients upon request.

High Availability

Every part of the Finsight service uses properly provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Data Flow

Data through System

All data transmitted, and at rest, is using AES 256-bit encryption and SHA2 handshake algorithms with the industry standard 4068 key cipher suites. Finsight aggregates events along with contextual data related to the user’s environment, preceding events, and the release and deployment changeset. Events data is also enriched with artifacts like source maps.

Data out of System

Once the event is processed, it can then be accessed via Finsight’s user interface and secure internal RPC APIs. The Finsight Security Team can combine error data from Finsight with data from other systems, manage workflows efficiently, and be alerted of errors through notification and chat tools, in addition to email and SMS.

Data Security and Privacy

Authentication and Authorization

We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password best practices enforce the use of complex passwords that include both alpha and numeric characters, which are deployed to protect against unauthorized use of passwords. Passwords are individually salted and hashed.

Finsight employees are granted a limited set of default permissions to access company resources, such as their email. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executive, as defined by our security guidelines. Approvals are managed by workflow tools that maintain audit records of changes.

Data Encryption

All data in Finsight servers is automatically encrypted at rest. Amazon AWS stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the Finsight data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.

Finsight exclusively sends data over HTTPS transport layer security (TLS 1.2+) encrypted connections for additional security as data transits to and from the application.

Email Security

The Finsight service includes email notifications and reports. Sender policy framework (SPF) is a system to prevent email address spoofing and minimize inbound spam. We have SPF records set and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams.

Role Based Access

Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors. All root or “super admin” accounts have been disabled.

Insurance

Finsight has established a comprehensive insurance program that works in conjunction with our security program. This program has been designed to provide coverage for a wide variety of business, technology and security issues and Finsight only works with highly reputable and highly rated insurance carriers.

Infrastructure and Network Security

Application Level Security

  • Upon request, we have the ability to integrate with industry standard SAML 2.0 services to allow a user to access their account.
  • Finsight routinely scans its applications for vulnerabilities and security issues and we promptly remediate any issues we find.
  • All data transmitted is using AES 256-bit encryption and SHA2 handshake algorithms with the industry standard 4068 key cipher suites, where applicable. This includes supporting TLS 1.2+ protocols.
  • We manage to OWASP and CERT vulnerability standards.
  • We use a third party to conduct internal and external penetration testing to validate our application, perimeter and internal defensive posture annually.

Data Center Security

  • We leverage Amazon Web Services (AWS) to provide infrastructure and hosting services.
  • Amazon AWS exceeds all industry standards for physical security including guards, 24/7 surveillance, and biometrics. All data is hosted within their secure data centers. More details can be found here: https://aws.amazon.com/compliance/data-center/controls/
  • Amazon AWS undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
  • By using AWS, Finsight is able to take advantage of their sophisticated security environment, logging, identity and intrusion protection systems and focus on our software and your data.
  • Finsight utilizes an exercised Business Continuity and Disaster Recovery Plan to ensure your data and business continue in the event of a natural disaster.

Intrusion Detection and Prevention

Unusual network patterns or suspicious behavior are among Finsight’s biggest concerns for infrastructure hosting and management. Amazon AWS’ intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.

IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.

Finsight does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.

Logical Access Control

Finsight is the assigned administrator of its infrastructure on Amazon AWS, and only designated authorized Finsight operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Penetration Testing

Finsight undergoes black box penetration testing, conducted by an independent, third-party agency, on an annual basis. For black box testing, Finsight provides the agency with an isolated clone of Finsight applications and a high-level diagram of application architecture.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Finsight will provide a summary of penetration test findings to clients upon request.

Physical Security

Finsight employees do not have physical access to Amazon AWS data centers, servers, network equipment, or storage. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, biometric locks, and other electronic means. Only authorized personnel have access to the data centers.

Network Security

Our infrastructure servers reside behind high-availability firewalls and are monitored for the detection and prevention of various network security threats. Firewalls are utilized to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.

Finsight maintains separate development and production environments. Our next generation firewalls (NGFWs) provide adequate network segmentation through the establishment of security zones that control the flow of network traffic. These traffic flows are defined by strict firewall security policies.

Automated tools are deployed within the network to support near-real-time analysis of events to support detection of system-level attacks.

Operational Security

Auditing and Logging

We maintain audit logs on systems. These logs provide an account of which personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorized individuals. Security events are logged, monitored, and addressed by trained security team members. Network components, workstations, applications and any monitoring tools are enabled to monitor user activity. Organizational responsibilities for responding to events are defined. Security events that record critical system configuration changes and administrators are alerted at the time of change. Retention schedules for the various logs are defined in our security control guidelines.

Change Management

Finsight maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested and monitored post-implementation to ensure that the expected changes are operating as intended.

Contingency Planning

The Finsight operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

Continuous Monitoring

We utilize both internal and external services to perform continuous scanning and monitoring of our network and application. We also conduct regular vulnerability scans, risk assessments and penetration tests.

Malware Protection

At Finsight, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations with access to client data enforce full-disk encryption, active anti-virus protection, and automatic updates for both dependent systems and vulnerability definitions.

Perimeter Security

As well as utilizing the firewall controls available via our cloud providers, we also employ custom firewalls on every server to block unauthorized system access. Additionally, we utilize continuous port scanning to immediately detect any potential misconfigurations within our infrastructure.

Risk Management

Finsight maintains a robust risk management program that is reviewed for gaps and changes at least annually.

Software Development Lifecycle

We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid release development lifecycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.

Our secure development lifecycle follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments. The Finsight architecture teams review our development methodology regularly to incorporate evolving security awareness, industry practices and to measure its effectiveness.

System and Software Security

The Finsight system infrastructure is updated regularly with the latest security patches. All of our servers run hardened, patched operating systems.

We employ an internal team of engineers to keep our software and its dependencies up to date, eliminating potential security vulnerabilities. This team carefully audits and tests all software components that affect the overall security of the system.

Security Policies

Finsight maintains an internal set of security policies, which are reviewed at least annually as part of our SOC 2 Type II. Our security policies cover a wide array of security related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering application and network security and information systems.

  • Acceptable Use
  • Access Control
  • Encryption
  • Retention and Disposition
  • Incident Handling
  • Incident Response
  • Information Sensitivity
  • Security Awareness and Training
  • Patch Management and Systems Update
  • Risk Assessment
  • Server Security
  • Information Asset Management
  • Vendor Management
  • Data Breach Response
  • Business Continuity

Finsight maintains a written Information Security policy that defines employee’s responsibilities and acceptable use of information system resources. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before providing authorized access to Finsight information systems. This policy is periodically reviewed and updated as necessary.

Our security policies cover a wide array of security related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications and information systems.

Additional Information

If you have any questions or would like additional information, please reach out to security@finsight.com with any questions.

Last Updated: January 20, 2024