FinCoreFlow

Trust & Security · Subprocessors

Subprocessors

FinCoreFlow runs on a small set of infrastructure providers, each chosen for compliance maturity. Their certifications are inherited at the infrastructure layer; ours are in progress. This page is the canonical list — bookmark it for procurement reviews.

Last updated: 2026-05-28

Database

Neon (PostgreSQL)

SOC 2 II (inherited)AES-256 at restTLS 1.3

EU region

Application hosting

Vercel

SOC 2 IIISO 27001GDPR DPA

Global edge · EU residency

Identity & email

Microsoft 365 (AWFi Group Oy)

ISO 27001SOC 2GDPR DPA

EU / EEA residency

Document storage

Azure Blob Storage

SOC 2ISO 27001GDPR DPA

EU region

OCR · tier-1

Azure Document Intelligence

SOC 2ISO 27001GDPR DPA

EU region

LLM · tier-2

OpenAI GPT-4o

SOC 2 IIAzure OpenAI EU parity — evaluating

US-based · EU parity targeted

Tier-2 note. Low-confidence documents fall back to OpenAI GPT-4o, which is US-based today. We are evaluating Azure OpenAI Service for full EU-regional residency parity, targeted before our SOC 2 Type I audit — stated plainly rather than implied.

Web & API security

  • TLS 1.3 everywhere, with HSTS
  • HttpOnly, Secure, SameSite session cookies
  • Signed inbound webhooks (HMAC); CSRF protection
  • Rate limiting on authentication paths
  • Multi-tenant isolation — every query scoped by tenant ID
  • Append-only audit logging on mutation events

Payments. No card data is stored or transmitted by FinCoreFlow systems today. Future payment processing will route through PCI-DSS-certified processors (Stripe or equivalent), with our own PCI scope minimized to SAQ-A territory.