Security · v1 · 2026
Security as a default,
not a brochure.
Below is the truthful list of what we have and what we're working on. We update this page when the answer changes — not when the cycle does.
In place
What we protect today
- Your account is separate from everyone else's.Sensitive workspaces sit behind their own access controls. Access to one part of the platform cannot be used to reach another.
- Credentials are kept secure and out of reach.Sensitive credentials are stored in a dedicated secure vault, never in plain files. Access is tightly restricted and reviewed regularly.
- Your password is never stored in a recoverable form.We use a slow, modern method to protect your password. We cannot read it back, recover it, or hand it to anyone — not even ourselves.
- Private workspaces are isolated by design.Workspaces that handle sensitive data (starting with Med) run on completely separate storage, away from the rest of the platform.
- External messages are verified before we act on them.When a third-party service notifies askFinz about an event, we confirm the message is genuinely from them before doing anything.
- Every page ships with built-in browser protections.All pages include privacy and anti-clickjacking protections by default. We tighten them gradually so nothing breaks quietly in production.
Underway
What's next
- Independent security audit (SOC 2). Targeting completion in 2026.
- Formal information security certification covering how we build and ship the platform.
- Verified desktop installer — your device will confirm it comes from askFinz before it runs.
- Stronger containment for any tasks askFinz runs on your behalf.
Status moves to “In place” only when the audit evidence exists.
What changed recently
Themes from the last two quarters.
Plain-English summaries of work that closed. The detailed register isn't public; if you're evaluating us under contract, we'll share the latest cut on request.
- Q1 2026Private workspace separation.The health workspace now runs on completely separate storage. Access rights were tightened across the platform.
- Q1 2026Shorter, stricter sign-in sessions.Sessions now expire sooner and are revoked immediately on logout. Logging in on a new device doesn't keep old sessions alive.
- Q2 2026Tighter service boundaries.Every part of the platform now strictly controls what it communicates with — quietly, across all surfaces.
- Q2 2026Verified billing notifications.Payment and billing events are now confirmed as genuine before askFinz acts on them. Fake or replayed events are rejected automatically.
Report a vulnerability
Email security@askfinz.com. We acknowledge within one working day. Coordinated disclosure preferred.