Compliance

Compliance & Certifications

Fintra treats compliance as a continuously verified state, not an annual scramble. SentriAI - the compliance engine inside the Fintra platform - is the same system we run on ourselves: it collects evidence from our infrastructure automatically, tests controls against SOC 2 Trust Services Criteria, ISO 27001 practices, and GDPR requirements, and keeps us audit-ready every day of the year.

Frameworks we align to

We describe our posture precisely: Fintra’s controls are aligned to recognized frameworks, with supporting documentation available on request. We do not publish certificate numbers or audit dates that do not exist.

  • SOC 2 Trust Services Criteria - security, availability, and confidentiality controls; report available on request.
  • ISO 27001 - our information security management practices follow Annex A control structure.
  • GDPR - lawful-basis mapping, data-subject rights handling, 72-hour breach notification readiness, and DPA availability.
  • CCPA/CPRA - consumer rights processes for applicable US customers.

Continuous compliance with SentriAI

Traditional compliance is a point-in-time snapshot; ours is a stream. SentriAI connects to our cloud, identity, and code-hosting systems, collects evidence on a schedule, and tests controls automatically - MFA enforcement, access reviews, encryption configuration, backup success, audit-log integrity. Failing controls page an owner the day they drift, not at the next audit. Customers get the same engine for their own SOC 2, ISO 27001, and GDPR programs.

Audit readiness and customer reviews

Security reviews shouldn’t stall your procurement. We maintain a standing evidence package for customer due diligence.

  • Security questionnaire responses (SIG/CAIQ-style) available on request.
  • Control documentation and policies shareable under NDA.
  • Data Processing Agreement (DPA) with SCCs available for customers subject to GDPR.
  • Current subprocessor list available on request, with change notification.

AI-specific compliance

Because Fintra ships AI agents that act on financial data, our compliance surface includes the AI runtime itself. AgentFence - Fintra’s Adaptive Trust Intelligence Platform - records every agent action in a hash-chained trust ledger, enforces human approval gates for consequential actions, and produces evidence that maps to emerging AI governance expectations (NIST AI RMF, EU AI Act readiness). Compliance is one dimension of the composite Enterprise Trust Score, sitting alongside identity, data, third-party, and financial trust, so readiness is always in the context of overall organizational trust. AI controls are tested by SentriAI like any other control - continuously.

Frequently asked questions

Can I get a copy of your SOC 2 report?

Documentation describing our alignment to SOC 2 Trust Services Criteria, plus control evidence generated by SentriAI, is available on request under NDA. Email security@fintrahub.com and we’ll share the current package.

Do you sign DPAs?

Yes. A Data Processing Agreement incorporating Standard Contractual Clauses is available for customers subject to GDPR or similar regimes. Request one at security@fintrahub.com.

How current is your compliance evidence?

SentriAI collects and tests evidence continuously - most controls are verified daily or on every infrastructure change, rather than sampled once a year. That means the evidence we share reflects our posture now, not twelve months ago.

Do you publish a subprocessor list?

We maintain a current subprocessor list (cloud hosting, database, email, and AI model providers) available on request, and we notify customers of material changes before new subprocessors process their data.

Questions about compliance?

Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.

Talk to our security team