Skip to main content
Private access is opening up — request an invite
askFinz
Security · v1 · 2026

Security as a default,
not a brochure.

Below is the truthful list of what we have and what we're working on. We update this page when the answer changes — not when the cycle does.

In place

What we protect today

  • Your account is separate from everyone else's.
    Sensitive workspaces sit behind their own access controls. Access to one part of the platform cannot be used to reach another.
  • Credentials are kept secure and out of reach.
    Sensitive credentials are stored in a dedicated secure vault, never in plain files. Access is tightly restricted and reviewed regularly.
  • Your password is never stored in a recoverable form.
    We use a slow, modern method to protect your password. We cannot read it back, recover it, or hand it to anyone — not even ourselves.
  • Private workspaces are isolated by design.
    Workspaces that handle sensitive data (starting with Med) run on completely separate storage, away from the rest of the platform.
  • External messages are verified before we act on them.
    When a third-party service notifies askFinz about an event, we confirm the message is genuinely from them before doing anything.
  • Every page ships with built-in browser protections.
    All pages include privacy and anti-clickjacking protections by default. We tighten them gradually so nothing breaks quietly in production.
Underway

What's next

  • Independent security audit (SOC 2). Targeting completion in 2026.
  • Formal information security certification covering how we build and ship the platform.
  • Verified desktop installer — your device will confirm it comes from askFinz before it runs.
  • Stronger containment for any tasks askFinz runs on your behalf.

Status moves to “In place” only when the audit evidence exists.

What changed recently

Themes from the last two quarters.

Plain-English summaries of work that closed. The detailed register isn't public; if you're evaluating us under contract, we'll share the latest cut on request.

  • Q1 2026
    Private workspace separation.
    The health workspace now runs on completely separate storage. Access rights were tightened across the platform.
  • Q1 2026
    Shorter, stricter sign-in sessions.
    Sessions now expire sooner and are revoked immediately on logout. Logging in on a new device doesn't keep old sessions alive.
  • Q2 2026
    Tighter service boundaries.
    Every part of the platform now strictly controls what it communicates with — quietly, across all surfaces.
  • Q2 2026
    Verified billing notifications.
    Payment and billing events are now confirmed as genuine before askFinz acts on them. Fake or replayed events are rejected automatically.
Report a vulnerability

Email security@askfinz.com. We acknowledge within one working day. Coordinated disclosure preferred.

Read our trust commitments