Designed for the trust standards your finance team requires.

We are direct about our stage: FinCoreFlow is an operational prototype, and we are not yet independently certified. What follows is structured to be verifiable — the compliance posture we inherit from our infrastructure today, the controls that ship in the product now, and the certification path we are committing to as commercial deployments scale.

The trajectory is real and dated: SOC 2 Type II and ISO 27001 readiness, GDPR Article 32 alignment, and KSA PDPL scoping are all on the roadmap below — framed as commitments and targets, never as guarantees we have already met.

FinCoreFlow runs on a small set of infrastructure providers, each chosen for compliance maturity. Their certifications are inherited at the infrastructure layer; ours are in progress. The stack below is current and verifiable.

A note on tier-2 extraction. Low-confidence documents fall back to OpenAI GPT-4o, which is US-based today. We are evaluating Azure OpenAI Service to bring this path to full EU-regional residency parity, with the transition targeted before our SOC 2 Type I audit. We would rather state the cross-border gap plainly than imply a residency we have not yet implemented.

Payments. No card data is stored or transmitted by FinCoreFlow systems today. Future payment processing will route through PCI-DSS-certified processors (Stripe or equivalent), with our own PCI scope minimized to SAQ-A territory.

These are commitments and targets, not guarantees. They show that the trajectory toward independent validation is funded into the plan and sequenced.

1. Target — Q3 2026

   • SOC 2 Type I readiness audit
   • First-party Data Protection Impact Assessment (DPIA) for KSA PDPL alignment
   • Appoint Acting Data Protection Officer (founder)

2. Target — Q1 2027

   • SOC 2 Type II observation period begins
   • ISO 27001 gap analysis

3. Target — Q3 2027

   • SOC 2 Type II report issued — contingent on audit-firm engagement
   • ISO 27001 Stage 1 audit — parallel track, target late 2027

Customer data sits in the EU today — Vercel with EU residency and Neon’s EU region. For European tenants, this supports GDPR data-residency expectations directly, with data minimisation built into the intake pipeline: only the fields finance teams use are extracted and persisted, and document originals are stored separately from extracted records.

For Saudi Arabia specifically: KSA PDPL (Personal Data Protection Law) compliance scoping is in progress, and a DPIA is underway. Cross-border transfer governance is under design — Standard Contractual Clauses (SCCs) until scale justifies a regional, KSA-hosted deployment. Where regional standards diverge, the platform is being designed to support either posture on a tenant-by-tenant basis.

If you believe you have found a security vulnerability, we want to hear from you. Email security@fincoreflow.com. We operate a 90-day coordinated-disclosure window. A PGP key for encrypted reports is in preparation and will be published here.

We are a small company and honest about it: the founder wears the DPO hat today. Acting DPO: Hafiz Ahmad, founder. A dedicated DPO role is to be appointed alongside our Series A. For any data-protection request, contact dpo@fincoreflow.com.