Security

How we protect your financial data across the FinArctic platform.

Our approach

FinArctic handles sensitive financial data — tax documents, transaction records, and accounting information. Security is not an afterthought; it is a foundational requirement built into every layer of our platform. We apply the same rigor to protecting your data that we apply to processing it.

Infrastructure security

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Financial data and documents are encrypted at rest using AES-256 encryption.
  • Edge deployment: Our application is deployed on Cloudflare's global edge network, providing DDoS protection, WAF rules, and SSL termination.
  • Isolated environments: Production, staging, and development environments are strictly isolated. No production data is used in non-production environments.

Authentication and access

  • Identity provider: Authentication is handled through Microsoft Entra ID (Azure AD), providing enterprise-grade identity management with OIDC/JWT tokens.
  • Role-based access: Users, accountants, and administrators have distinct permission levels. Access is granted on a least-privilege basis.
  • Session management: Sessions are time-limited and securely managed. Inactive sessions are automatically terminated.

Application security

  • Input validation: All user input is validated and sanitized at the API boundary using schema validation (Zod).
  • API security: API endpoints enforce authentication and authorization. Rate limiting prevents abuse.
  • Dependency management: Dependencies are regularly audited for known vulnerabilities and kept up to date.
  • Code review: All code changes go through review before deployment.

AI security

  • Data isolation: Your financial data is processed in isolation. It is never used to train general-purpose models or shared across accounts.
  • Audit trails: Every AI classification, extraction, and decision is logged with full context for auditability.
  • Human oversight: AI outputs are designed to be reviewed. Confidence scores and explanations are provided so professionals can verify results.

Data protection

  • Backup and recovery: Data is backed up regularly with tested recovery procedures.
  • Data portability: You can export your data at any time in standard formats. Your data is never locked in.
  • Deletion: When you delete your account, your data is permanently removed from our systems within 30 days, subject to legal retention requirements.

Incident response

We maintain an incident response process for security events. In the event of a data breach that affects your information, we will notify affected users and relevant authorities within the timeframes required by applicable law.

Responsible disclosure

If you discover a security vulnerability in any FinArctic product, we encourage you to report it responsibly. Contact us at [email protected]. We take all reports seriously and will respond promptly.

Compliance

FinArctic is designed to support compliance with applicable financial data regulations. Our audit trail capabilities, data export features, and access controls are built to meet the requirements of tax professionals and accounting firms operating under regulatory obligations.

Contact

For security-related questions or to report a concern, contact us at [email protected].