Security

Your data security is our
top priority

Learn how Finflo protects your documents and extracted data with enterprise-grade security practices, Australian data residency, and transparent data handling.

Last updated: February 2026

Encrypted at Rest & Transit

Data encrypted at rest and TLS 1.2/1.3 in transit

Australian Data Residency

All infrastructure hosted in Australia for data sovereignty compliance

Continuous Security Scanning

Automated SAST, DAST, SCA, and cloud infrastructure checks

No Training on Your Data

Your documents are never used to train AI models

Security Overview

Finflo is a document processing platform that uses AI to extract structured data from PDF documents. We understand that the documents you upload may contain sensitive financial or business information, and we've built our security practices around protecting that data.

This page provides a transparent overview of how we secure your data, what technologies we use, and what commitments we make regarding your information.

Our security strategy is built on five pillars: Australian data residency for sovereignty compliance, defence-in-depth network protection, automated PII data lifecycle management, continuous security testing across the full stack, and transparent data handling practices.

Infrastructure Security

Hosting & Deployment

Finflo's core infrastructure — including the application backend, background task workers, PostgreSQL database, and Redis cache — is hosted on Northflank in the Australian region, ensuring all application data remains within Australian borders for data residency compliance.

Northflank provides enterprise-grade infrastructure security including:

  • Kata Containers and gVisor for workload isolation via hardware-level virtualisation
  • Isolated container environments for each service
  • Encrypted volumes and volume backups at rest
  • Private networking between services
  • Automatic SSL/TLS certificate management
  • Secret injection to avoid storing sensitive configurations in plain text

View Northflank's Security page

File Storage

All uploaded documents are stored in Google Cloud Storage with servers located in Australia, which provides:

  • AES-256 encryption at rest by default
  • Encryption in transit using TLS
  • Access controls via signed URLs with time-limited access
  • Geographic redundancy for data durability
  • Comprehensive audit logging

View Google Cloud Security overview

Database

Application data is stored in a managed PostgreSQL database hosted in Australia with:

  • Encryption at rest
  • Encrypted connections (SSL required)
  • Automated daily backups
  • Private network access only (no public exposure)

Australian Data Residency

Your Data Stays in Australia

All core infrastructure components — application servers, databases, caches, background workers, and file storage — are hosted in Australian data centres. This ensures your document data and extracted information remain within Australian jurisdiction, supporting compliance with the Australian Privacy Act and data sovereignty requirements.

File storage benefits from Google Cloud's built-in redundancy and durability guarantees (99.99% annual durability).

Network & Edge Security

All traffic to Finflo is routed through Cloudflare, providing multiple layers of network-level protection before requests reach our application servers.

Cloudflare Protection

  • DDoS Mitigation: Automatic detection and mitigation of distributed denial-of-service attacks at the network edge
  • Web Application Firewall (WAF): Managed rulesets to block common attack patterns including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats
  • DNS Security: Secure DNS resolution with DNSSEC support and protection against DNS-based attacks
  • Bot Management: Detection and mitigation of malicious bot traffic and automated threats
  • TLS Termination: TLS 1.3 encryption enforced on all connections with automatic certificate management

View Cloudflare's Trust & Compliance resources

Application-Level Network Controls

  • HTTPS enforced on all endpoints
  • Secure, HTTP-only cookies for session management
  • CSRF protection on all state-changing operations
  • Strict CORS policies limiting cross-origin requests
  • Security headers including Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security

Data Protection

Encryption Standards

Data StateEncryption
Data in TransitTLS 1.2/1.3
Files at RestAES-256
Database at RestAES-256
PasswordsIndustry-standard hashing (Argon2)

Data Isolation

Each user's data is logically isolated at the application level. All database queries are filtered by user identity, ensuring you can only access your own templates, documents, and extraction results.

Backup & Recovery

Database backups are performed daily and retained for 7 days. File storage benefits from Google Cloud's built-in redundancy and durability guarantees (99.99% annual durability).

PII Data Lifecycle

Finflo implements automated data lifecycle management to minimise the retention of personally identifiable information (PII) and sensitive document data.

Automated PII Deletion

A scheduled background process runs every 7 days to automatically clean up document data that is no longer needed for active use. This process:

  • Permanently deletes uploaded PDF files from Google Cloud Storage
  • Permanently deletes extraction output files from Google Cloud Storage
  • Removes extraction JSON data from the application database
  • Maintains an audit log of all deletion events for compliance and accountability

Data Retention Summary

Data TypeRetention
Uploaded PDF documentsAutomatically deleted every 7 days
Extraction output filesAutomatically deleted every 7 days
Extraction JSON dataAutomatically deleted every 7 days
TemplatesRetained until you delete them or your account
Account dataRetained for the lifetime of your account
Deletion audit logsRetained for compliance purposes
Server logs30 days

Minimising Data Exposure

By automatically deleting document files and extraction data on a 7-day cycle, we significantly reduce the window of exposure for sensitive information. This approach follows the data minimisation principle recommended by the Australian Privacy Act and GDPR.

Security Testing & Scanning

Finflo employs a multi-layered security testing strategy that combines static analysis, dynamic testing, and continuous monitoring to identify and remediate vulnerabilities across the full application stack.

Static Application Security Testing (SAST)

We use Aikido Security for continuous static analysis of our codebase, covering:

  • SAST: Automated source code analysis to detect security vulnerabilities, insecure coding patterns, and potential injection flaws
  • Software Composition Analysis (SCA): Continuous monitoring of third-party dependencies for known vulnerabilities (CVEs) and licence risks
  • Secrets Detection: Automated scanning to prevent accidental exposure of API keys, credentials, and other sensitive tokens in source code
  • Outdated Software & IaC: Detection of outdated packages, frameworks, and infrastructure-as-code misconfigurations
  • Cloud Misconfiguration Checks: Scanning for insecure cloud resource configurations and policy violations

Dynamic Application Security Testing (DAST)

We use OWASP ZAP (Zed Attack Proxy) for dynamic security testing against our running application, including:

  • OWASP Top 10 Checks: Systematic testing for the most critical web application security risks including injection, broken authentication, sensitive data exposure, and security misconfigurations
  • Runtime Vulnerability Scanning: Active probing of the live application to discover issues that static analysis cannot detect
  • Regular Scanning Cadence: Scheduled scans to catch new vulnerabilities introduced by code changes or dependency updates

Our Testing Approach

LayerToolCoverage
Source CodeAikido SecuritySAST, SCA, Secrets, IaC
Running ApplicationOWASP ZAPDAST, OWASP Top 10
Network EdgeCloudflare WAFWAF rules, DDoS, bot management
Runtime MonitoringSentryError tracking, performance monitoring

Authentication & Access Control

Finflo uses industry-standard authentication practices to protect your account and ensure only you can access your data.

Authentication Features

  • Email and password authentication
  • Email verification required for new accounts
  • Secure password reset via email
  • Session-based authentication with secure, HTTP-only cookies
  • CSRF token validation on all authenticated requests

Password Requirements

We enforce strong password policies to protect your account:

  • Minimum length requirements
  • Protection against common passwords
  • Protection against passwords similar to your personal information

Session Security

  • Sessions stored securely server-side
  • Session cookies marked as HTTP-only and Secure
  • SameSite cookie policy enforced
  • Automatic session expiration after period of inactivity

Planned Enhancements

We're actively working on additional security features including two-factor authentication (2FA) and social login options to give you more control over your account security.

AI Data Processing

Finflo uses Google Cloud AI services to extract structured data from your documents. Here's how your data is handled during AI processing:

How AI Processing Works

  1. You upload a PDF document to Finflo
  2. The document is stored securely in Google Cloud Storage (Australia)
  3. When extraction is triggered, the document content is sent to Google Cloud AI
  4. The AI extracts structured data based on your template schema
  5. Extracted data is returned to Finflo and stored in our database (Australia)
  6. After 7 days, the uploaded PDF, extraction files, and extraction data are automatically deleted

AI Data Commitments

No Model Training

Your documents are not used to train AI models. We use Google Cloud's enterprise AI services which have explicit data usage policies prohibiting training on customer data.

Temporary Processing

Document content is only sent to AI services during active extraction. It is not persisted by the AI provider beyond the processing request.

Secure Transmission

All communication with AI services occurs over encrypted TLS connections.

Automatic Cleanup

Uploaded documents and extraction data are automatically deleted on a 7-day cycle, with audit logs maintained for compliance.

View Google Cloud's compliance and data processing terms

Infrastructure Provider Compliance

Our infrastructure providers maintain their own compliance certifications:

  • Google Cloud: SOC 1/2/3, ISO 27001, and many othersLearn more
  • Cloudflare: SOC 2 Type II, ISO 27001, PCI DSSLearn more
  • Northflank: Built with security-first architecture including Kata Container isolation and encrypted storageLearn more

Incident Response

Security Monitoring

We employ comprehensive monitoring and logging across our infrastructure to detect and respond to potential security issues. Our systems include real-time error tracking via Sentry, structured audit logging for security-relevant events, Cloudflare WAF analytics for threat detection, and automated alerting for anomalous activity.

Incident Response Process

In the event of a security incident, we commit to:

  • Investigating and containing the incident as quickly as possible
  • Notifying affected users within 72 hours of a confirmed data breach
  • Providing clear communication about what happened and what data was affected
  • Taking corrective actions to prevent similar incidents
  • Cooperating with relevant authorities as required by law

Reporting Security Issues

If you discover a security vulnerability in Finflo, please report it to us immediately at security@finflo.au. We ask that you:

  • Provide detailed information about the vulnerability
  • Give us reasonable time to address the issue before public disclosure
  • Avoid accessing or modifying other users' data

Your Data Rights

We believe you should have control over your data. Here are your rights and how to exercise them:

Data Export

You can export your extraction results to Excel format directly from the application. For a complete export of all your data, contact us at finflo-support@finflo.au.

Data Deletion

Document files and extraction data are automatically deleted every 7 days. You can also manually delete individual templates, documents, and extractions at any time. To delete your entire account and all associated data, contact us at finflo-support@finflo.au.

Data Access

You can view all your stored templates and extraction history within the application. For questions about what data we hold, contact us.

Response Times

We aim to respond to data requests within 30 days, in compliance with GDPR and Australian Privacy Act requirements.

Security Contact

For security-related inquiries, vulnerability reports, or questions about our security practices:

Security Issues

security@finflo.au

Privacy Inquiries

privacy@finflo.au

Our Commitment to You

Security is an ongoing commitment, not a one-time milestone. We continuously strengthen our security practices and will keep this page up to date as we introduce new safeguards to protect you and your data. Thank you for trusting Finflo with your document processing needs.