How Finsi protects customer data, manages access, encrypts information in transit and at rest, and responds to security incidents. The security posture procurement teams need to evaluate Finsi.
Last Updated: May 15, 2026 Company: Finsi (finsi.ai) Service: AI Chief Marketing Officer for Shopify and DTC brands
This Information Security Policy describes the controls Finsi maintains to protect customer data, the systems we operate, and the personnel and processes that support them. It applies to all Finsi employees, contractors, and infrastructure handling customer data.
We publish this policy so that customers, procurement teams, and security reviewers can evaluate our posture without a custom questionnaire. If something below is not detailed enough for your review, contact us at security@finsi.ai.
Finsi handles three categories of data on behalf of customers.
Customer business data. Order records, customer email addresses, ad spend, retention metrics, and similar operational data pulled from your connected platforms (Shopify, Klaviyo, ad platforms, support tools, subscription billing). Stored encrypted at rest.
Authentication tokens. OAuth refresh tokens and API keys we hold to access your connected platforms on your behalf. Stored encrypted at rest using AWS KMS-managed keys. Never transmitted to third parties outside the originating platform.
Account and billing data. Your Finsi account email, name, organization, billing address, and payment metadata. Card numbers are never stored by Finsi; payment processing is handled by Stripe under PCI DSS Level 1 compliance.
We do not store, request, or process personal data of your customers beyond what your connected platforms expose. Email addresses of your end-customers are processed for segmentation and campaign generation but are not used by Finsi for any other purpose.
Cloud provider. Finsi runs on Amazon Web Services (AWS) in the us-east-1 region. AWS maintains SOC 2 Type II, ISO 27001, and other independent attestations covering the underlying infrastructure.
Application hosting. Application code is deployed via AWS Amplify (frontend) and AWS App Runner / ECS (backend services). All servers run in isolated VPC subnets with security groups restricting inbound traffic to required ports only.
Databases. Customer data is stored in managed PostgreSQL databases (Neon and AWS RDS depending on the service). Databases are encrypted at rest using AES-256. Automated backups are retained for 7 days with point-in-time recovery enabled.
Secrets management. Application secrets (API keys, OAuth credentials, database passwords) are stored in AWS Systems Manager Parameter Store or AWS Secrets Manager, encrypted with AWS KMS. Secrets are injected into application runtime via IAM roles. They are never committed to source control.
In transit. All connections to Finsi services use TLS 1.2 or higher. HTTPS is enforced via HSTS on www.finsi.ai. Internal service-to-service communication runs over private VPC networks with TLS.
At rest. All customer data, OAuth tokens, and backups are encrypted at rest using AES-256. Database storage uses AWS-managed encryption keys; sensitive fields (OAuth refresh tokens, third-party API keys) are encrypted at the application layer using a separate KMS key before being written to the database.
Key management. Encryption keys are managed by AWS KMS. Keys are rotated annually. Access to KMS keys requires IAM roles tied to specific application services. Engineering staff do not have direct access to encryption keys.
Authentication. All Finsi accounts authenticate via OAuth (Google, Microsoft) or email with strong-password requirements. Multi-factor authentication (MFA) is available for all customer accounts and required for staff.
Authorization. Role-based access controls (RBAC) restrict customer data access to the workspace the user belongs to. Staff access to production systems uses the principle of least privilege. Production database access is limited to a small set of senior engineers and is logged.
Audit logging. Access to customer data, authentication events, and configuration changes are logged. Logs are retained for 90 days minimum.
Session management. Sessions expire after 30 days of inactivity. Tokens issued by Finsi can be revoked at any time by the customer or by Finsi staff in response to a credential compromise.
Secure development lifecycle. Code changes pass through pull request review before merging. Automated linting and type-checking run on every commit. Production deploys require a clean build and pass automated tests.
Dependency management. Application dependencies are scanned regularly for known vulnerabilities using GitHub Dependabot and npm audit. Critical-severity vulnerabilities are patched within 14 days of disclosure.
Static analysis. TypeScript provides type-safety enforcement across the application. ESLint enforces security-aware patterns including escaping of user-controlled content in JSX.
Penetration testing. Finsi engages third-party security testers annually for application and infrastructure penetration testing. Findings are tracked to remediation. Customers under NDA may request a summary of the most recent test results.
Web Application Firewall (WAF). Public-facing services sit behind AWS WAF rules blocking the OWASP Top 10 attack patterns (SQL injection, XSS, request flooding, common bot traffic).
DDoS protection. AWS Shield Standard is enabled on all public endpoints.
Network segmentation. Production, staging, and development environments run in separate AWS accounts with no cross-account access by default. Production databases are not accessible from the public internet; access requires connecting through a hardened bastion host or AWS SSM Session Manager.
Finsi connects to customer-owned third-party platforms via OAuth or API keys provided by the customer. The integrations we currently support include Shopify, Klaviyo, ActiveCampaign, Postscript, Meta Ads, Google Ads, TikTok Ads, Recharge, Appstle, Stay AI, Gorgias, Zendesk, and others through our Nango-managed integration layer.
OAuth-first. Where the source platform supports OAuth, we use OAuth and store only the refresh token. We never request or store the customer's username and password for third-party systems.
Least-privilege scopes. We request the narrowest OAuth scopes required for our features. If a customer disables a Finsi feature, the corresponding scope can be revoked from their platform admin console.
Sub-processor list. A current list of sub-processors (data infrastructure, observability, analytics) is available at finsi.ai/sub-processors or by request to security@finsi.ai.
Finsi maintains an incident response procedure covering detection, triage, containment, eradication, recovery, and post-incident review.
Notification. If a security incident affects customer data, we notify affected customers within 72 hours of confirmed impact. Notification includes a description of the incident, the data involved, our response steps, and recommended customer actions.
On-call coverage. Engineering on-call coverage is staffed 24/7 for production incidents. Security incidents follow a separate escalation path with senior engineering leadership.
Customer reporting. Suspected vulnerabilities can be reported to security@finsi.ai. We commit to acknowledging reports within 48 hours and providing remediation status within 14 days.
Backups. Databases are backed up automatically with 7-day point-in-time recovery. Backups are encrypted and stored in geographically separated AWS availability zones.
Recovery objectives. Target recovery time objective (RTO) for the production application is 4 hours. Target recovery point objective (RPO) is 1 hour. These targets are tested at least annually.
Resilience. Application services run across multiple AWS availability zones with automatic failover for stateless components. Stateful components (databases) use AWS-managed multi-AZ replication where available.
Background checks. All Finsi employees pass a background check before being granted access to production systems.
Security training. New hires complete security awareness training during onboarding. All staff handling customer data complete refresher training annually covering phishing, social engineering, data handling, and incident reporting.
Device security. Staff laptops are managed with full-disk encryption, automatic screen locking, and required password complexity. Production access is contingent on the device being in compliance.
Offboarding. Access to all Finsi systems is revoked within 24 hours of an employee or contractor leaving. Production credentials they had access to are rotated.
Active data. Customer business data is retained while the account is active and for 30 days after account closure to support reactivation.
Deletion on request. Customers may request full deletion of their data at any time by emailing privacy@finsi.ai or via the in-app account deletion flow. We confirm and complete the deletion within 30 days.
Backups. Backup data containing deleted customer records is purged on the standard 7-day backup retention cycle.
Anonymized data. Aggregated and anonymized usage analytics that cannot be linked to a specific customer may be retained indefinitely for product improvement.
GDPR. Finsi processes personal data in accordance with the EU General Data Protection Regulation where applicable. We offer Data Processing Agreements (DPAs) to customers on request.
CCPA. California residents have rights under the California Consumer Privacy Act including the right to know, delete, and opt out of the sale of personal information. Finsi does not sell personal information.
SOC 2. Finsi is preparing for a SOC 2 Type II audit. We currently follow controls aligned with the AICPA Trust Services Criteria and can share our current readiness status with customers under NDA.
PCI DSS. Finsi does not store, process, or transmit cardholder data directly. Payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider.
We do not currently claim ISO 27001, HIPAA, or FedRAMP compliance.
The shared responsibility model means Finsi protects the platform; customers protect their account access and the data they choose to share with Finsi.
Specifically, customers are responsible for:
We review this policy at least annually and update it when our security posture changes. Material updates will be announced via the customer dashboard or email. The current version is always available at finsi.ai/security.
For security questions, vulnerability reports, or to request additional documentation:
Finsi connects your Shopify, ads, and email data - then tells you exactly what to do next. Free 30-day trial, no credit card.