Finalytics.AI is committed to providing our customers with secure and reliable AI solution services. Our security model, based on information security standards and accepted industry best practices, is consistently implemented, monitored, and tested for compliance. Finalytics.AI aims to protect the confidentiality, integrity, and availability of our customer’s data.
Commonly Asked Questions
- Does Finalytic.AI have an Information Security Policy to share?
Yes. Finalytics.AI implements a top-down approach to verifying security controls, including maintaining policies and procedures. Policies are reviewed and approved on an annual basis.
- What is the process for authenticating users?
- Users are authenticated against their password and allowed access in the form of a browser session.
- Default lockout for user accounts comes after 3 unsuccessful password attempts and 15 minutes of inactivity.
- Users’ passwords must be at least 8 characters long and have uppercase, lowercase, number, or special character; they must be changed every 60 days.
- Dual authentication is enabled.
- Who is responsible for provisioning/deprovisioning user accounts?
- Where are the AI services hosted?
All data is processed and stored only in the United States of America. Data is processed at Amazon Web Services (AWS) data center. AWS has received SOC 2 and ISO 27001 security compliance certifications.
- How is data stored?
The Finalytics.AI digests data from customers across the United States and all connections are separate and terminate in AWS.
Data Storage – Application and database containers run in a private subnet, inaccessible from the outside internet. Access is restricted to the app and bastion layers. Internal database traffic is encrypted.
- What is the logical separation of data?
Logical separation occurs at the application level through administrative user controls. Access controls are logically scoped to user roles and set at the database level between organizations and among the various user role types. Resource authorization is granted according to the role of the authenticated user.
- Is there audit logging and retention capabilities?
- Audit logs (e.g., user IDs, date/times of log on, log off, log in failures, etc.) can be retrieved to conduct user access reviews.
- Retention for audit logs is stored indefinitely.
- How is data at rest managed?
All data is stored in a managed database, with disk-level encryption.
- How is data encrypted?
Each cryptographic key is segregated from the data it encrypts. The cryptographic key will be kept on a separate disk which itself will be encrypted. Encryption protocol/key length – AES-256 bit.
- How is data in transit encrypted?
All PII for Finalytics.AI is forced over SSL/TLS endpoints (TLS 1.2).
- Describe the backup process and storage locations?
Finalytics.AI is automatically backed up nightly and retained daily for 90 days, and monthly for 6 years. No customer action is required. Two backup copies are kept: Back-up locations are stored in us-east-1 and uswest-1 AWS data centers.
- Are backups encrypted?
Disk volumes backing databases and snapshots are encrypted at the filesystem level, AES 256-bit encryption.
- How does Finalytics. AI monitor and remediate vulnerabilities?
Finalytics.AI continuously monitors through multi-tiered security audits that include security checks, security reviews, application and infrastructure security vulnerability assessment scans, third-party patching, and scans of network vulnerabilities.
Finalytics. AI relies on external cybersecurity consultants to stay informed of the emerging infrastructure vulnerabilities worldwide. Finalytics also engages an independent security company that periodically performs a security penetration test based on the OWASP Top 10 and SANS 25 best practices.
- Describe your incident response approach?
Finalytics. AI will report and contact the Customer immediately upon discovery of the unauthorized disclosure, within forty-eight (48) hours after Finalytics. AI reasonably believes there has been such unauthorized use or disclosure. Written reports by Finalytics. AI regarding data compromises will be supplied to the Customer within forty-eight (48) hours after reported.