Trust & Security · Subprocessors
Subprocessors
FinCoreFlow runs on a small set of infrastructure providers, each chosen for compliance maturity. Their certifications are inherited at the infrastructure layer; ours are in progress. This page is the canonical list — bookmark it for procurement reviews.
Last updated: 2026-05-28
Database
Neon (PostgreSQL)
EU region
Application hosting
Vercel
Global edge · EU residency
Identity & email
Microsoft 365 (AWFi Group Oy)
EU / EEA residency
Document storage
Azure Blob Storage
EU region
OCR · tier-1
Azure Document Intelligence
EU region
LLM · tier-2
OpenAI GPT-4o
US-based · EU parity targeted
Tier-2 note. Low-confidence documents fall back to OpenAI GPT-4o, which is US-based today. We are evaluating Azure OpenAI Service for full EU-regional residency parity, targeted before our SOC 2 Type I audit — stated plainly rather than implied.
Web & API security
- TLS 1.3 everywhere, with HSTS
- HttpOnly, Secure, SameSite session cookies
- Signed inbound webhooks (HMAC); CSRF protection
- Rate limiting on authentication paths
- Multi-tenant isolation — every query scoped by tenant ID
- Append-only audit logging on mutation events
Payments. No card data is stored or transmitted by FinCoreFlow systems today. Future payment processing will route through PCI-DSS-certified processors (Stripe or equivalent), with our own PCI scope minimized to SAQ-A territory.