Security

Security at Fintra

Fintra is the AI Finance Operating System for SMBs, which means we hold some of the most sensitive data a business has: its books, payroll, and forecasts. Security is not a feature we bolt on - it is the operating constraint every system is designed around, from tenant-isolated Postgres schemas to append-only audit logs and AI actions that pass through explicit approval gates.

Defense in depth

No single control protects customer data on its own. Fintra layers independent safeguards so that a failure in any one layer is contained by the next, and every layer produces evidence that SentriAI, our continuous-compliance engine, tests against SOC 2 Trust Services Criteria.

  • Network edge: TLS 1.2+ enforced for all connections; plaintext HTTP is rejected, not redirected silently at the application tier.
  • Application: role-based access control with least-privilege defaults, server-side authorization on every request, and input validation at API boundaries.
  • Data: AES-256 encryption at rest, per-tenant row-level isolation in Postgres (Supabase), and append-only audit logs.
  • AI runtime: AgentFence gates every agent tool call through policy checks and a hash-chained trust ledger.

Infrastructure and tenant isolation

Fintra runs on managed cloud infrastructure with Postgres via Supabase as the system of record. Every customer is a first-class tenant: row-level security policies enforce isolation at the database layer, so a query can never cross tenant boundaries even if application code has a bug. Backups are encrypted, access to production is restricted to a small set of named engineers behind SSO and MFA, and all production access is itself logged to the same append-only audit trail customers see.

People and process

Most breaches start with people, not software. Fintra keeps the human attack surface small and monitored.

  • SSO and MFA required for all employee access to internal systems; no shared accounts.
  • Least-privilege access reviews on a recurring cadence, with automatic revocation when roles change.
  • Background-appropriate vetting and security training for employees with production access.
  • Vendor and subprocessor reviews before any third party touches customer data.

Incident response

We maintain a documented incident-response process with severity tiers, an on-call rotation, and defined communication SLAs. Confirmed incidents affecting customer data trigger customer notification without undue delay - and within 72 hours where GDPR applies. Post-incident reviews feed corrective actions back into SentriAI-tracked controls so the same failure mode is tested continuously afterward.

Frequently asked questions

Is Fintra SOC 2 certified?

Fintra’s security program is aligned to the SOC 2 Trust Services Criteria, and our controls are continuously monitored and tested by SentriAI, our own compliance engine. Reports and control documentation are available on request via security@fintrahub.com - we never publish fabricated audit dates or certificate numbers.

Where is my data stored?

Customer data is stored in managed Postgres (Supabase) hosted in the United States, encrypted at rest with AES-256 and isolated per tenant with row-level security. See the Data residency page for details on regions, backups, and transfers.

How do I report a security issue?

Email security@fintrahub.com. We acknowledge reports within 2 business days and follow a coordinated disclosure process with safe-harbor language for good-faith research - see our Vulnerability disclosure policy.

Can Fintra employees see my financial data?

Only a small set of named engineers can access production, behind SSO and MFA, and only for operational need. Every production access is recorded in the same append-only audit log that records customer activity, so access is provable, not just promised.

Questions about security overview?

Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.

Talk to our security team