Security at FinanceIQ

Architecture

FinanceIQ is a cloud-native SaaS application hosted in the United States on industry-standard cloud infrastructure.

• Application and edge hosting: managed cloud platform with automatic TLS termination, global edge caching, and DDoS protection.
• Database and authentication: managed Postgres database with row-level security policies enforced at the database layer to prevent cross-tenant access. Customer data (NetSuite query results, user accounts, configuration, conversation history) is stored here.
• AI: a contracted third-party large language model provider delivers Finley. See the AI Disclosure page for full data-flow details.
• Payments: a PCI-DSS-compliant payment processor. FinanceIQ does not store payment card details directly.

Encryption

• In transit. All connections, including those between browsers, FinanceIQ services, our infrastructure providers, NetSuite, and our LLM provider, use TLS 1.2 or higher.
• At rest. Customer data stored in our managed Postgres database is encrypted at rest using AES-256. NetSuite OAuth refresh and access tokens, API secrets, and similar credentials are stored encrypted.

Access Controls

• Tenant isolation. Each customer's data is logically separated with row-level security enforced at the database layer. Cross-tenant access is prevented at the lowest level of the stack.
• Role-based access (in-product). Within a customer organization, user permissions are scoped to that organization.
• Administrative access. FinanceIQ team members access production systems only through controlled mechanisms with multi-factor authentication. Access follows the principle of least privilege and is reviewed regularly.
• Audit logging. Administrative actions and key customer-facing actions are logged for traceability.

NetSuite OAuth Security

When you connect a NetSuite instance to FinanceIQ:

• You grant FinanceIQ specific OAuth scopes through your NetSuite account.
• FinanceIQ stores only the refresh and access tokens required to read your data, encrypted at rest.
• You can revoke FinanceIQ's access at any time from your NetSuite account, or by disconnecting the integration in FinanceIQ.
• Disconnection terminates FinanceIQ's ability to read or refresh data from that NetSuite instance.

AI Data Handling (Finley)

Finley is delivered through a contracted third-party large language model provider. Under our contract with that provider, Customer Data sent to Finley is not used to train the provider's models or improve its products. FinanceIQ does not use Customer Data to train any models of its own.

Full data-flow details are published on our AI Disclosure page.

Backups and Disaster Recovery

Customer data stored in our managed Postgres database is backed up automatically by our infrastructure provider, with point-in-time recovery available.

Application Security Practices

• Secure development. Code changes are reviewed before deployment. Production deploys are tracked.
• Dependency management. Dependencies are monitored for known vulnerabilities and updated on a regular cadence.
• Secrets management. API keys, OAuth secrets, and similar credentials are stored in environment-scoped secret stores, not in source code.

Compliance Posture

FinanceIQ is committed to industry-standard security compliance. Our current posture:

• SOC 2 Type I: Audit planned. Target completion: Q4 2026.
• SOC 2 Type II: Targeted following Type I attestation.
• GDPR, UK GDPR, PIPEDA, CCPA, CPRA: Controls and processes in place to support customer compliance with these frameworks. See our Privacy Policy.

If you need a security questionnaire completed or have specific compliance requirements, contact us at contact@tryfinanceiq.com.

Sub-processors

FinanceIQ uses a small set of vendors to deliver the Service. The categories of sub-processors in use are described in our Privacy Policy (Section 5.1). A current list naming each sub-processor is available to customers and prospective customers on request.

Responsible Disclosure

If you discover a security vulnerability in the FinanceIQ service, we ask that you report it privately rather than disclosing it publicly. Email contact@tryfinanceiq.com with:

• A description of the vulnerability and steps to reproduce
• The potential impact you've identified
• Any suggested remediation

We will acknowledge receipt within three business days and work with you toward a fix. We do not currently operate a paid bug bounty program, but we appreciate good-faith security research conducted under responsible disclosure principles, and we are happy to credit researchers (with permission) once fixes ship.