Skip to main content

Security at Fincore

How we protect customer data across infrastructure, application, and operations.

Last Updated: June, 2026

At Fincore, protecting our customers' financial data is foundational to everything we build. As a platform handling sensitive finance and accounting information, we apply security controls across our infrastructure, application, and operations — and design those controls to meet the expectations of enterprise customers in regulated industries.

Data Protection

All customer data is encrypted in transit using TLS 1.3 and at rest using AES-256. Financial information and integration credentials are stored in managed, encrypted database services with strict access controls, and secrets are held in a dedicated key-management vault.

AI & Data Use

Fincore does not use your data to train, fine-tune, or build evaluation datasets for any model — ours or our LLM providers'. LLM providers are engaged under enterprise terms contractually configured for zero data retention, meaning your data is not stored on the provider side after a request is processed and is never available for training.

Your data is processed solely to deliver the finance workflows you have engaged us for. There is no secondary use — no cross-tenant sharing, no analytics product, and no “agent improvement” use of any kind.

Tenant Isolation

Customer data is held under strict per-tenant logical isolation and is never co-mingled with another customer's records. Isolation is enforced through per-tenant identifiers on every record, application-layer authorization on every query, and tenant-scoped access at the service boundary — every operation against your information is bounded to your tenant and inaccessible to any other Fincore customer.

Access Control

We follow the principle of least privilege. Access to systems and customer data is limited to a small set of authorized personnel on a need-to-know basis, granted based on role, and reviewed periodically.

Workforce access is gated through MFA-enforced single sign-on with role-based access controls, and every access event is captured in per-identity audit logs. Administrative access to production requires connection through our corporate VPN and additional controls.

Application Security

We maintain secure software development practices, including code review, dependency vulnerability monitoring and remediation, and a CI/CD pipeline with controls on changes reaching production.

Infrastructure Security

Our infrastructure runs on Microsoft Azure with network-layer protections including segmented network environments, per-tier network security groups with default-deny baselines, and isolation between our production and non-production environments. Administrative access to production systems is restricted and gated through a bastion host.

ERP Integrations & Agent Audit Trail

We built our own ERP integration layer rather than routing through a third-party ETL or data vendor, so your data and credentials never traverse an additional sub-processor. OAuth tokens are vault-stored, rotated, and scoped to your ERP's native permissions.

Every agentic write-back is logged with the originating user, the tools and inputs the agent invoked, the resulting change in your system, and a timestamp — giving you a complete, attributable record of what was done and why.

Compliance

Fincore's security controls are designed and documented against the AICPA Trust Services Criteria covering security, availability, and confidentiality. We are currently undergoing a SOC 2 Type I examination to independently validate the design of those controls, with SOC 2 Type II to follow. We are committed to maintaining and continually improving our security posture as we grow.

Data Retention

Customer data is retained only for as long as needed to deliver the Service. On offboarding, all customer data is deleted from production systems within 30 days, subject to any legal retention obligations.

Confidentiality

These commitments are reinforced contractually through the confidentiality obligations in our customer agreements and enforced technically through need-to-know access controls with per-identity audit logging.

Contact

For security questions or to report a concern, contact us at security@fincore.co.