Security

Your data security is our
top priority

Learn how Finflo protects your documents and extracted data with industry-standard security practices and transparent data handling.

Last updated: December 2025

Encrypted at Rest & Transit

All data encrypted using AES-256 at rest and TLS 1.3 in transit

Secure Cloud Infrastructure

Enterprise-grade hosting with automatic security updates and monitoring

No Training on Your Data

Your documents are never used to train AI models

Security Overview

Finflo is a document processing platform that uses AI to extract structured data from PDF documents. We understand that the documents you upload may contain sensitive financial or business information, and we've built our security practices around protecting that data.

This page provides a transparent overview of how we secure your data, what technologies we use, and what commitments we make regarding your information.

Infrastructure Security

Hosting & Deployment

Finflo is hosted on Render, a modern cloud platform that provides enterprise-grade infrastructure security including:

  • Automatic SSL/TLS certificate management
  • DDoS protection at the network edge
  • Isolated container environments for each service
  • Automated security patches and updates
  • Private networking between services

View Render's Security & Trust page

File Storage

All uploaded documents are stored in Google Cloud Storage, which provides:

  • AES-256 encryption at rest by default
  • Encryption in transit using TLS
  • Access controls via signed URLs with time-limited access
  • Geographic redundancy for data durability
  • Comprehensive audit logging

View Google Cloud Security overview

Database

Application data is stored in a managed PostgreSQL database with:

  • Encryption at rest
  • Encrypted connections (SSL required)
  • Automated daily backups
  • Private network access only (no public exposure)

Network Security

  • All traffic encrypted via TLS 1.2+ (TLS 1.3 preferred)
  • HTTPS enforced on all endpoints
  • Secure, HTTP-only cookies for session management
  • CSRF protection on all state-changing operations
  • Strict CORS policies limiting cross-origin requests

Data Protection

Encryption Standards

Data StateEncryption
Data in TransitTLS 1.2/1.3
Files at RestAES-256
Database at RestAES-256
PasswordsIndustry-standard hashing (Argon2)

Data Isolation

Each user's data is logically isolated at the application level. All database queries are filtered by user identity, ensuring you can only access your own templates, documents, and extraction results.

Data Retention

  • Uploaded Documents: Retained until you delete them or delete the associated template
  • Extraction Results: Stored until you choose to delete them
  • Account Data: Retained for the lifetime of your account
  • Server Logs: Retained for 30 days for debugging and security monitoring

Backup & Recovery

Database backups are performed daily and retained for 7 days. File storage benefits from Google Cloud's built-in redundancy and durability guarantees (99.99% annual durability).

Authentication & Access Control

Finflo uses industry-standard authentication practices to protect your account and ensure only you can access your data.

Authentication Features

  • Email and password authentication
  • Email verification required for new accounts
  • Secure password reset via email
  • Session-based authentication with secure, HTTP-only cookies
  • CSRF token validation on all authenticated requests

Password Requirements

We enforce strong password policies to protect your account:

  • Minimum length requirements
  • Protection against common passwords
  • Protection against passwords similar to your personal information

Session Security

  • Sessions stored securely server-side
  • Session cookies marked as HTTP-only and Secure
  • SameSite cookie policy enforced
  • Automatic session expiration after period of inactivity

Planned Enhancements

We're actively working on additional security features including two-factor authentication (2FA) and social login options to give you more control over your account security.

AI Data Processing

Finflo uses Google Cloud AI services to extract structured data from your documents. Here's how your data is handled during AI processing:

How AI Processing Works

  1. You upload a PDF document to Finflo
  2. The document is stored securely in Google Cloud Storage
  3. When extraction is triggered, the document content is sent to Google Cloud AI
  4. The AI extracts structured data based on your template schema
  5. Extracted data is returned to Finflo and stored in our database

AI Data Commitments

No Model Training

Your documents are not used to train AI models. We use Google Cloud's enterprise AI services which have explicit data usage policies prohibiting training on customer data.

Temporary Processing

Document content is only sent to AI services during active extraction. It is not persisted by the AI provider beyond the processing request.

Secure Transmission

All communication with AI services occurs over encrypted TLS connections.

View Google Cloud's compliance and data processing terms

Infrastructure Provider Compliance

Our infrastructure providers maintain their own compliance certifications:

  • Render: SOC 2 Type II certifiedLearn more
  • Google Cloud: SOC 1/2/3, ISO 27001, and many othersLearn more

Incident Response

Security Monitoring

We employ comprehensive monitoring and logging across our infrastructure to detect and respond to potential security issues. Our systems include real-time error tracking, structured audit logging for security-relevant events, and automated alerting for anomalous activity.

Incident Response Process

In the event of a security incident, we commit to:

  • Investigating and containing the incident as quickly as possible
  • Notifying affected users within 72 hours of a confirmed data breach
  • Providing clear communication about what happened and what data was affected
  • Taking corrective actions to prevent similar incidents
  • Cooperating with relevant authorities as required by law

Reporting Security Issues

If you discover a security vulnerability in Finflo, please report it to us immediately at support@finflo.au. We ask that you:

  • Provide detailed information about the vulnerability
  • Give us reasonable time to address the issue before public disclosure
  • Avoid accessing or modifying other users' data

Your Data Rights

We believe you should have control over your data. Here are your rights and how to exercise them:

Data Export

You can export your extraction results to Excel format directly from the application. For a complete export of all your data, contact us at support@finflo.au.

Data Deletion

You can delete individual documents, templates, and extraction results from within the application. To delete your entire account and all associated data, contact us at support@finflo.au.

Data Access

You can view all your stored templates, documents, and extraction history through the application interface. For questions about what data we hold, contact us.

Response Times

We aim to respond to data requests within 30 days, in compliance with GDPR and Australian Privacy Act requirements.

Security Contact

For security-related inquiries, vulnerability reports, or questions about our security practices:

Security Issues

security@finflo.au

General Support

support@finflo.au

Privacy Inquiries

privacy@finflo.au

Our Commitment to You

Security is an ongoing commitment, not a one-time milestone. We continuously strengthen our security practices and will keep this page up to date as we introduce new safeguards to protect you and your data. Thank you for trusting Finflo with your document processing needs.