Security Policy

    Hosting location of customer data

    By default, Customer Data and Content will be hosted in data centers located in the United States. You may request to have your Customer Data and Content stored outside the United States, and Fintool will use commercially reasonable efforts to do so where supported by our underlying cloud service provider(s) and where otherwise in compliance with applicable laws and regulations. Fintool’s vendors will be restricted to processing Customer Data and Content in the United States.

    Encryption

    Fintool encrypts Customer Data and Content at-rest using AES 256-bit (or better) encryption. Fintool uses Transport Layer Security 1.2 (or better) for Customer Data in-transit over untrusted networks. Fintool uses industry standard encryption for Customer Data and Content. Fintool allows customers to 'bring their own encryption keys' and we can work with you in setting that up for your Customer Data. With respect to encryption keys, we regularly rotate encryption keys and utilize hardware security modules to safeguard critical security keys. Fintool logically separates encryption keys from Customer Data.

    System and network security

    Fintool personnel access to our Cloud Environment is with a unique user ID and is consistent with the principle of least privilege. Access requires a secure connection, multi-factor authentication, and passwords meeting or exceeding reasonable length and complexity requirements. Fintool personnel will not access Customer Data except (i) to provide or support the Service or (ii) to comply with the law or a binding order of a governmental body. In accessing our Cloud Environment, our personnel will use company-issued laptops which utilize security controls that include encryption and that also include endpoint detection and response tools to monitor and alert for suspicious activities and malicious code and vulnerability management. Fintool shall protect its Cloud Environment using at least industry standard security practices. Our Cloud Environment leverages industry-standard threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, 'Malicious Code'). Fintool does not have an obligation to monitor Customer Data or Input for Malicious Code. Fintool uses automated tools to scan publicly available vulnerability databases (e.g. National Vulnerability Database (NVD) or similar) for vulnerabilities in software that may be utilized by us. We score vulnerabilities according to an internal rating system that takes into account the likelihood of an exploit and the potential impact of an exploit, similar to CVSS. We timely address vulnerabilities. Those in the 'high' category are addressed within a maximum of 30 days and in the 'medium' category within 90 days. Fintool will periodically engage a third party to conduct web application level security assessments on the Platform. Such assessments include tests for relevant security vulnerabilities identified in the Open Web Application Security Project (OWASP), including: cross-site request forgery, cross-site scripting (XSS), SQL injection (SQLi), authentication and authorization vulnerabilities and other.

    Administrative controls

    Fintool maintains security awareness and training programs for its personnel including at time of on-boarding and at least annually thereafter. Fintool personnel are required to sign confidentiality agreements and are required to acknowledge responsibility for reporting security incidents involving Customer Data. Fintool removes access on a timely basis for all separated personnel and additionally reviews the access privileges of its personnel to its cloud environment at least annually. Fintool reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation. Fintool ensures that any of its vendors that process Input or Customer Data maintain security measures consistent with our obligations under this Security Addendum.

    Physical data center controls

    Our Cloud Environment is maintained by one or more cloud service providers. We ensure that our cloud service providers data centers have appropriate controls as audited under their third-party audits and certifications. Each cloud service provider shall have SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls include: Physical access to facilities is controlled at building ingress points, visitors are required to present ID and must be signed in, and physical access to servers is managed by access control devices. Additionally, physical access privileges are reviewed regularly, facilities utilize monitor and alarm response procedures and CCTV, and have adequate fire detection and protection systems. Furthermore, facilities have adequate back-up and redundancy systems, and they maintain appropriate climate control systems. Fintool does not maintain physical offices other than for limited corporate and executive purposes. Under no circumstances is Customer Data stored or hosted at such offices.

    Incident detection and response

    If Fintool becomes aware of a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a 'Security Incident'), Fintool shall notify You without undue delay, and in any case, within 72 hours after becoming aware. You will be notified at the security notice email address indicated on your currently operative order form or as otherwise determined appropriate by Fintool. In the event of a Security Incident as described above, Fintool shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year. Fintool shall provide You with timely information about the Security Incident, including the nature and consequences of the Security Incident; the status of our investigation, and a contact point from which additional information may be obtained. Fintool shall also share information about the measures taken and/or proposed by Fintool to mitigate or contain the Security Incident after the investigation into the Security Incident has concluded. Notwithstanding the foregoing, Customer acknowledges that because Fintool personnel may not have visibility to the content of Customer Data, it may be the case that we are unable to provide detailed analysis of the type of Customer Data impacted by the Security Incident. Communications in connection with a Security Incident shall not be construed as an acknowledgment by Fintool of any fault or liability with respect to the Security Incident.

    Customer rights and shared responsibility

    You warrant that You have the necessary rights in Your Customer Data and Input to use it with the Fintool and that Your use of the Fintool will comply with all applicable laws and regulations. The Fintool is provided on an as-is and as-available basis. Fintool makes no representations or warranties of any kind, implied or expressed, with respect to the Fintool including warranties of merchantability, title, non-infringement, or fitness for a particular purpose, which are disclaimed. Fintool does not represent or warrant that the use of the Fintool will be uninterrupted or error-free.

    LLM and OpenAI

    OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data. OpenAI does not sell user data or share it with third parties for marketing purpose. OpenAI is compliant with regulations like CCPA, GDPR, HIPAA, and SOC 2 Type 2. For eligible endpoints like /v1/chat/completions, /v1/embeddings, and /v1/completions, data is deleted immediately after processing and is not stored. No Fintool user questions are used for training, fine-tuning or any model improvements.