โ Back to Home
Data Security
Last Updated: December 1, 2024
At Fincend, we take the security of your data extremely seriously. This page explains
the technical and organizational measures we implement to protect your information.
๐ Bank-Level Encryption
โ
GDPR Compliant
๐ก๏ธ ISO 27001
๐ SOC 2 Type II
1. Data Encryption
1.1. Data at Rest
All your data stored on our servers is protected with industry-leading encryption standards:
- AES-256 Encryption: Military-grade encryption for all stored data
- Encrypted Databases: All database entries are encrypted at the field level
- Secure Key Management: Encryption keys are stored separately and rotated regularly
- Encrypted Backups: All backup data is also encrypted
1.2. Data in Transit
All data transmitted between your device and our servers is secured:
- TLS 1.3: Latest transport layer security protocol
- Perfect Forward Secrecy: Each session uses unique encryption keys
- Certificate Pinning: Protection against man-in-the-middle attacks
- Secure API Communication: All API calls are authenticated and encrypted
2. Authentication and Access Control
2.1. User Authentication
- Multi-Factor Authentication (MFA): Optional 2FA for enhanced security
- OAuth 2.0: Industry-standard authorization protocol
- Secure Password Storage: Passwords are hashed using bcrypt with salt
- Biometric Authentication: Support for Face ID and Touch ID
- Session Management: Automatic timeout and secure session tokens
2.2. Access Control
- Role-based access control (RBAC) for internal systems
- Principle of least privilege for all access
- Regular access reviews and audits
- Immediate revocation of access when employees leave
3. Infrastructure Security
3.1. Cloud Security
Our infrastructure is hosted on secure, certified cloud platforms:
- AWS/Supabase: Enterprise-grade cloud infrastructure
- ISO 27001 Certified: International security standard compliance
- SOC 2 Type II: Annual audits for security controls
- Data Centers: Geographically distributed with physical security
- DDoS Protection: Advanced protection against distributed attacks
3.2. Network Security
- Firewall protection on all network boundaries
- Intrusion detection and prevention systems (IDS/IPS)
- Network segmentation and isolation
- VPN access for administrative operations
4. Application Security
4.1. Secure Development
- Security by Design: Security considerations in every development phase
- Code Reviews: All code changes are reviewed for security issues
- Automated Security Scanning: Continuous vulnerability scanning
- Dependency Management: Regular updates for third-party libraries
- OWASP Top 10: Protection against common web vulnerabilities
4.2. Mobile App Security
- Code obfuscation to prevent reverse engineering
- Jailbreak/root detection
- Secure data storage using device keychain
- Regular security updates through app stores
5. Data Backup and Recovery
5.1. Backup Strategy
- Automated Backups: Daily encrypted backups of all data
- Geographic Redundancy: Backups stored in multiple locations
- Backup Testing: Regular restoration tests to ensure data integrity
- Retention Policy: 30-day backup retention period
5.2. Disaster Recovery
- Comprehensive disaster recovery plan
- Regular disaster recovery drills
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
6. Monitoring and Incident Response
6.1. Security Monitoring
- 24/7 Monitoring: Continuous security monitoring and alerting
- Log Management: Centralized logging and analysis
- Anomaly Detection: AI-powered threat detection
- Security Information and Event Management (SIEM)
6.2. Incident Response
We have a comprehensive incident response plan:
- Dedicated security incident response team
- Clear escalation procedures
- Incident classification and prioritization
- Post-incident analysis and improvement
- User notification within 72 hours if required by law
7. Compliance and Certifications
7.1. Regulatory Compliance
- GDPR: General Data Protection Regulation compliance
- KVKK: Turkish Personal Data Protection Law compliance
- PCI DSS: Payment Card Industry Data Security Standard (via payment processors)
- ISO 27001: Information Security Management System
7.2. Regular Audits
- Annual third-party security audits
- Quarterly internal security assessments
- Penetration testing twice per year
- Vulnerability assessments
8. Third-Party Security
8.1. Vendor Management
We carefully vet all third-party service providers:
- Supabase: SOC 2 Type II certified, ISO 27001 compliant
- RevenueCat: Secure subscription management with PCI compliance
- Google AdMob: Google's enterprise-grade security standards
- Anthropic Claude AI: Enterprise security and privacy controls
8.2. Data Processor Agreements
- GDPR-compliant data processing agreements with all vendors
- Regular security assessments of vendors
- Contractual security requirements
9. Employee Security
9.1. Security Training
- Mandatory security awareness training for all employees
- Regular phishing simulation exercises
- Specialized training for development and operations teams
- Annual security policy reviews
9.2. Background Checks
- Background verification for all employees with data access
- Non-disclosure agreements (NDAs)
- Clear desk and clear screen policies
10. User Security Best Practices
10.1. Recommendations for Users
To maximize the security of your account, we recommend:
- Use a strong, unique password for your Fincend account
- Enable two-factor authentication (2FA)
- Keep your mobile device updated with latest security patches
- Use biometric authentication (Face ID/Touch ID) when available
- Never share your account credentials
- Log out from shared devices
- Report suspicious activity immediately
11. Data Breach Notification
In the unlikely event of a data breach:
- We will investigate immediately and contain the incident
- Affected users will be notified within 72 hours
- Regulatory authorities will be notified as required by law
- We will provide clear information about the incident and remediation steps
- Post-incident review will be conducted to prevent future occurrences
12. Data Retention and Deletion
12.1. Retention Policy
- Active account data is retained as long as your account is active
- Deleted data is retained for 30 days for recovery purposes
- After 30 days, deleted data is permanently and securely erased
- Some data may be retained longer for legal compliance
12.2. Secure Deletion
- Multi-pass overwrite methods for data deletion
- Cryptographic erasure of encryption keys
- Verification of data deletion
13. Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly:
- Email: mail@fincend.com
- We will acknowledge reports within 48 hours
- We provide regular updates on remediation progress
- Recognition for responsible disclosure
14. Contact
For security-related questions or concerns:
- Email: mail@fincend.com
- Website: www.fincend.com