Security Policy
Effective Date: April 23, 2026 | Last Updated: April 23, 2026
askFinz, an entity under Paul V | Holdings, is committed to protecting the security of our platform, infrastructure, and user data. This Security Policy outlines the measures we take to safeguard the Services and describes the security practices that underpin all aspects of the askFinz platform.
1. Infrastructure Security
1.1 Cloud & Hosting
- All askFinz services are hosted on enterprise-grade cloud infrastructure with SOC 2 Type II and ISO 27001 certifications.
- Production workloads are containerised and orchestrated with strict resource isolation between services.
- Infrastructure is deployed across multiple availability zones to ensure resilience and continuity.
- All public-facing endpoints are protected by a reverse-proxy layer with DDoS mitigation, rate limiting, and Web Application Firewall (WAF) rules.
1.2 Network Security
- Internal services communicate over an isolated private network and are not exposed directly to the public internet.
- All inter-service communication is authenticated and encrypted.
- Firewall rules follow the principle of least privilege — only necessary ports and protocols are permitted.
2. Data Encryption
- In transit: All data transmitted between clients and askFinz services is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
- At rest: All stored data — including databases, object storage, and backups — is encrypted at rest using AES-256.
- Secrets management: Credentials, API keys, and certificates are managed via secrets management systems and are never hardcoded or logged.
3. Access Controls
- Access to production systems is restricted to authorised personnel only, based on the principle of least privilege.
- Multi-factor authentication (MFA) is required for all internal system access.
- Privileged access is logged, audited, and reviewed regularly.
- Employee access to user data is restricted to the minimum necessary for operational support and is subject to approval and audit logging.
- Access rights are reviewed and revoked promptly upon role change or departure.
4. Application Security
- Code changes go through mandatory peer code review before deployment to production.
- Automated static analysis (SAST) and dependency vulnerability scanning (SCA) are run on every build.
- Production deployments follow a staged rollout process (canary/blue-green) to minimise impact of defects.
- Input validation and output encoding are applied throughout the application stack to defend against injection attacks (SQL injection, XSS, CSRF, etc.).
- Security-critical dependencies are updated promptly when vulnerabilities are disclosed.
5. Vulnerability Management
- Automated vulnerability scans are conducted on infrastructure and application dependencies on a regular cadence.
- Penetration testing is conducted at least annually by independent third-party security firms.
- Identified vulnerabilities are triaged, prioritised, and remediated according to severity within the timelines defined in our Responsible Disclosure Policy.
- We operate a Responsible Disclosure Programme — see askfinz.ai/legal/responsible-disclosure.
6. Incident Response
askFinz maintains a documented Incident Response Plan that covers:
- Detection: Continuous monitoring, alerting, and anomaly detection across all systems.
- Containment: Procedures to isolate affected systems and prevent further damage.
- Eradication & Recovery: Steps to remove the root cause and restore normal operations.
- Communication: Protocols for notifying affected users and regulatory authorities within required timeframes (72 hours for Personal Data breaches under GDPR).
- Post-incident review: Root cause analysis and lessons-learned documentation for every significant incident.
7. Employee Security
- All employees with access to production systems or user data undergo security awareness training at onboarding and annually thereafter.
- Background checks are conducted for roles with access to sensitive systems or data, where permitted by law.
- Employees are required to comply with askFinz's security policies and acceptable use standards.
8. Third-Party & Supply Chain Security
- Third-party vendors with access to askFinz systems or data are assessed for security posture prior to onboarding.
- Vendor contracts include appropriate security, confidentiality, and data processing obligations.
- We monitor the security advisories of all major software dependencies and act promptly on disclosures.
9. Backups & Business Continuity
- Automated daily backups of all production data are retained for a minimum of 30 days.
- Backups are encrypted and stored in geographically separate locations.
- Recovery procedures are tested on a regular basis to ensure recoverability.
10. Browser Extension & Desktop Browser Security
- The askFinz Browser Extension undergoes security review before each release to the Chrome Web Store.
- Extension permissions are scoped to the minimum required for functionality.
- The askFinz Desktop Browser is built on Chromium and receives security patches aligned with upstream Chromium releases. Critical patches are issued within 72 hours.
- Communication between the extension/browser and askFinz backends is authenticated and encrypted.
11. Reporting a Security Concern
To report a security vulnerability, please follow our Responsible Disclosure Policy at askfinz.ai/legal/responsible-disclosure or email security@askfinz.ai directly.
12. Contact
- Security: security@askfinz.ai
- Legal: legal@askfinz.ai