Trust & Security
Designed for the trust standards your finance team requires.
Every architectural decision — from how documents arrive, to how extracted data is stored, to how exports are signed — is structured to support the trust standards finance teams and regulators expect across European and GCC jurisdictions. This page is honest about where we are today and where we are going.
Our security stance
We are direct about our stage: FinCoreFlow is an operational prototype, and we are not yet independently certified. What follows is verifiable — the compliance posture we inherit from our infrastructure today, the controls that ship in the product now, and the certification path we are committing to as commercial deployments scale.
SOC 2 Type II, ISO 27001 readiness, GDPR Article 32 alignment, and KSA PDPL scoping are all on the roadmap below — framed as commitments and targets, never as guarantees we have already met.
Inherited posture, concrete and verifiable
We rely on a small set of certified infrastructure providers. The current list — with regions, certifications, and our tier-2 transparency flags — lives at /trust/subprocessors and changes only with notice. It’s the page DPOs bookmark for procurement reviews.
SubprocessorsOpen the canonical list →6 providersThe certification roadmap
These are commitments and targets, not guarantees — funded into the plan and sequenced.
Data residency & sovereignty
Customer data sits in the EU today — Vercel with EU residency and Neon’s EU region. Data minimisation is built into the intake pipeline: only the fields finance teams use are extracted and persisted, and document originals are stored separately from extracted records.
For Saudi Arabia: KSA PDPL (Personal Data Protection Law) compliance scoping is in progress and a DPIA is underway. Cross-border transfer governance is under design — Standard Contractual Clauses until scale justifies a regional, KSA-hosted deployment.
Responsible disclosure
If you believe you have found a security vulnerability, we want to hear from you. We operate a 90-day coordinated-disclosure window; a PGP key for encrypted reports is in preparation and will be published here.
To: security@fincoreflow.com
Subject: [disclosure] <one-line summary>
Affected: <url / endpoint / component>
Severity: <your assessment>
Steps: <minimal reproduction>
Impact: <what an attacker could do>Contact the Data Protection Officer
We are a small company and honest about it: the founder wears the DPO hat today. Acting DPO: Hafiz Ahmad, founder. A dedicated DPO role is to be appointed alongside our Series A.
dpo@fincoreflow.comOperated as a development environment today. Building toward commercial-grade.
Where claims are forward-looking, the path is on the roadmap above. Where they describe shipping behavior — encryption, audit trail, tenant isolation — they describe the prototype today.