Back to Home

Security

Your security is our top priority. Learn about our comprehensive security measures.

Our Commitment to Security

FinVI takes security seriously. As a financial technology platform handling sensitive user data, market information, and payment details, we implement industry-leading security practices to protect your information.

This page outlines our security infrastructure, data protection measures, and compliance standards.

Infrastructure Security

Enterprise-Grade Hosting

Platform: Vercel (AWS infrastructure)

  • SOC 2 Type II certified
  • ISO 27001 compliant
  • Automatic DDoS protection
  • Global CDN with edge caching
  • 99.99% uptime SLA

Secure Database Infrastructure

Platform: Supabase (Managed PostgreSQL)

  • Database-level encryption at rest (AES-256)
  • Encrypted connections (TLS 1.3)
  • Row-Level Security (RLS) policies
  • Automatic daily backups (30-day retention)
  • Point-in-time recovery
  • Private VPC isolation

Network & Transport Security

  • HTTPS enforced (TLS 1.3) across all pages
  • HTTP Strict Transport Security (HSTS) enabled
  • Secure cookie flags (HttpOnly, Secure, SameSite)
  • Content Security Policy (CSP) headers
  • Firewall rules and IP filtering

Authentication & Access Control

1Password Security

  • Bcrypt hashing with automatic salt generation
  • Minimum password requirements: 8 characters, mix of letters and numbers
  • Password breach detection: Checks against common password lists
  • Secure password reset: Time-limited tokens sent via email
  • No plaintext storage: Passwords are never stored in readable format

2Session Management

  • JWT tokens with 7-day expiration
  • Refresh token rotation for extended sessions
  • Automatic logout after 30 days of inactivity
  • Concurrent session limits: Maximum 3 active devices
  • Logout from all devices feature available

3OAuth & Social Login

We support secure OAuth authentication through trusted providers (Google, GitHub) without ever accessing your passwords. OAuth tokens are encrypted and stored securely.

Data Protection

Encryption at Rest

  • AES-256 encryption for all database records
  • Encrypted backups with separate keys
  • No payment card data stored (PCI-DSS via Stripe)

Encryption in Transit

  • TLS 1.3 for all client-server communication
  • Certificate pinning for API calls
  • Encrypted API keys and secrets

Access Controls

  • Role-Based Access Control (RBAC)
  • Row-Level Security (RLS) policies
  • Principle of least privilege

Data Minimization

  • Only collect necessary information
  • Automatic data expiration policies
  • User data export and deletion tools

Payment Security

Stripe Integration (PCI-DSS Compliant)

All payment processing is handled by Stripe, a PCI Service Provider Level 1 certified processor. This is the highest level of certification available in the payments industry.

What this means:

  • We never see or store your card details
  • Tokenized payment processing
  • 3D Secure authentication (SCA)
  • Real-time fraud detection

Your protection:

  • Bank-level encryption
  • Automated fraud prevention
  • Dispute resolution support
  • Easy subscription management

Application Security

Input Validation & Sanitization

All user inputs are validated, sanitized, and escaped to prevent injection attacks (SQL, XSS, CSRF).

Rate Limiting

API endpoints are rate-limited (100 requests/minute per user) to prevent abuse and DDoS attacks.

Dependency Security

Automated dependency scanning (Dependabot) and regular security updates for all third-party packages.

Error Monitoring

Real-time error tracking (Sentry) with automatic alerting for security-related issues.

Audit Logging

Comprehensive logging of security-relevant events (authentication, data access, admin actions).

Monitoring & Incident Response

24/7 Monitoring

  • Automated security scanning
  • Uptime monitoring (99.99% SLA)
  • Performance metrics tracking
  • Anomaly detection algorithms

Incident Response

  • Documented incident response plan
  • Security team on-call 24/7
  • Breach notification within 72 hours (GDPR)
  • Root cause analysis and remediation

Compliance & Standards

GDPR

EU data protection compliance

CCPA

California privacy rights

PCI-DSS

Payment card security (via Stripe)

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Email:security@finvi.com
Response Time:Within 48 hours for acknowledgment
Reward:We offer bug bounties for valid, high-severity vulnerabilities

Please DO NOT: Test against production systems, access other users' data, or perform destructive tests. Use our staging environment if available.

Your Security: Best Practices

While we implement robust security measures, your account security also depends on your actions:

DO

  • Use a strong, unique password
  • Enable two-factor authentication (2FA)
  • Log out on shared devices
  • Review active sessions regularly
  • Keep your email account secure

DON'T

  • Share your password with anyone
  • Use the same password elsewhere
  • Click suspicious email links
  • Access from public WiFi (use VPN)
  • Ignore security notifications

Security Questions?

If you have questions about our security practices or want to report a concern:

Security Team: security@finvi.com

General Inquiries: Contact Us

Privacy Questions: Privacy Policy