Encryption

Encryption & Key Management

Every byte of customer data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Keys are managed by the cloud provider’s key-management service with automatic rotation, application secrets never live in code, and audit records add a second integrity layer: hash chaining that makes tampering detectable.

Encryption in transit

All connections to Fintra - browser to app, app to database, service to service, and calls to third-party APIs - require TLS 1.2 or higher with modern cipher suites. HSTS is enforced so browsers refuse downgraded connections, and internal service traffic is encrypted even inside the cloud network rather than trusting the perimeter.

Encryption at rest

Data at rest is encrypted with AES-256 across every storage tier.

  • Postgres (Supabase): database volumes encrypted with AES-256.
  • Backups: encrypted with independent keys before storage.
  • File attachments and exports: encrypted object storage.
  • Logs and audit trails: encrypted at rest and hash-chained for integrity (encryption keeps data confidential; chaining proves it hasn’t been altered).

Key management and rotation

Encryption keys are generated and stored in the cloud provider’s key-management service (KMS) - never in application code, environment files checked into repositories, or developer laptops. Keys rotate automatically on a scheduled cadence, with immediate rotation on any suspicion of exposure. Application secrets (API keys, database credentials) live in a managed secrets store with per-service scoping and access logging; SentriAI tests rotation and storage controls continuously.

Integrity, not just confidentiality

Encryption answers "who can read this?" - for financial records the equally important question is "has this been changed?". Fintra’s audit logs and AgentFence’s trust ledger are append-only and hash-chained: each entry embeds a hash of its predecessor, so removing or editing any historical record breaks the chain visibly. For an accounting platform, that means your audit trail is evidence, not just a log file.

Frequently asked questions

What TLS versions do you support?

TLS 1.2 is the minimum; TLS 1.3 is preferred and negotiated where clients support it. Legacy protocols (TLS 1.0/1.1, SSL) are disabled entirely.

Who holds the encryption keys?

Keys are held in the cloud provider’s KMS with strict IAM scoping - no Fintra engineer handles raw key material. Rotation is automatic on a scheduled cadence and immediate if exposure is ever suspected.

Are backups encrypted too?

Yes. Backups are encrypted with AES-256 using keys independent of the primary database keys, and remain within the primary storage region.

What does "hash-chained" mean for my audit logs?

Each audit entry includes a cryptographic hash of the previous entry, forming a chain. If anyone edits or deletes a historical record, every subsequent hash stops matching - so tampering is mathematically detectable, which is what makes the trail usable as audit evidence.

Questions about encryption?

Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.

Talk to our security team