FinCoreFlow

Trust & Security

Designed for the trust standards your finance team requires.

Every architectural decision — from how documents arrive, to how extracted data is stored, to how exports are signed — is structured to support the trust standards finance teams and regulators expect across European and GCC jurisdictions. This page is honest about where we are today and where we are going.

§ 01

Our security stance

We are direct about our stage: FinCoreFlow is an operational prototype, and we are not yet independently certified. What follows is verifiable — the compliance posture we inherit from our infrastructure today, the controls that ship in the product now, and the certification path we are committing to as commercial deployments scale.

SOC 2 Type II, ISO 27001 readiness, GDPR Article 32 alignment, and KSA PDPL scoping are all on the roadmap below — framed as commitments and targets, never as guarantees we have already met.

§ 02

Inherited posture, concrete and verifiable

We rely on a small set of certified infrastructure providers. The current list — with regions, certifications, and our tier-2 transparency flags — lives at /trust/subprocessors and changes only with notice. It’s the page DPOs bookmark for procurement reviews.

SubprocessorsOpen the canonical list →6 providers
§ 03

The certification roadmap

These are commitments and targets, not guarantees — funded into the plan and sequenced.

Q3 2026SOC 2 Type I readiness audit · first-party DPIA for KSA PDPL · appoint Acting DPOTarget
Q1 2027SOC 2 Type II observation period begins · ISO 27001 gap analysisTarget
Q3 2027SOC 2 Type II report issued (contingent on audit-firm engagement) · ISO 27001 Stage 1 — parallel track, late 2027Target
§ 04

Data residency & sovereignty

Customer data sits in the EU today — Vercel with EU residency and Neon’s EU region. Data minimisation is built into the intake pipeline: only the fields finance teams use are extracted and persisted, and document originals are stored separately from extracted records.

For Saudi Arabia: KSA PDPL (Personal Data Protection Law) compliance scoping is in progress and a DPIA is underway. Cross-border transfer governance is under design — Standard Contractual Clauses until scale justifies a regional, KSA-hosted deployment.

EULive
KSA / PDPLRoadmap
GCCFuture
§ 05

Responsible disclosure

If you believe you have found a security vulnerability, we want to hear from you. We operate a 90-day coordinated-disclosure window; a PGP key for encrypted reports is in preparation and will be published here.

responsible disclosure
To:      security@fincoreflow.com
Subject: [disclosure] <one-line summary>

Affected: <url / endpoint / component>
Severity: <your assessment>
Steps:    <minimal reproduction>
Impact:   <what an attacker could do>
§ 06

Contact the Data Protection Officer

We are a small company and honest about it: the founder wears the DPO hat today. Acting DPO: Hafiz Ahmad, founder. A dedicated DPO role is to be appointed alongside our Series A.

dpo@fincoreflow.com

Operated as a development environment today. Building toward commercial-grade.

Where claims are forward-looking, the path is on the roadmap above. Where they describe shipping behavior — encryption, audit trail, tenant isolation — they describe the prototype today.