Skip to content
Fin4Sight

Security & Trust

Security and trust — what we did, what we don't claim.

Mandatory MFA on every login. Per-tenant credential isolation. Strong encryption at rest. Row-level security in the database.

Authentication & access

  • Mandatory MFA via TOTP on every login. No SMS, no email backup.
  • 10 single-use, cryptographically generated recovery codes per user.
  • MFA reset requires platform-level admin approval — by design.
  • Tiered role hierarchy separating platform, tenant, and end-user permissions.

Credential isolation

Every external credential — your SAP system, OCR provider, document storage, AI providers, and email gateway — is stored encrypted at rest and scoped per tenant. No credential lives in code. No credential is shared across tenants.

Database isolation

PostgreSQL with row-level security policies across every tenant-scoped table. Tenant context is set per request and the database enforces visibility.

Hosting

Cloud-native compute, managed PostgreSQL, and object storage for documents. Region selection per tenant where supported. We share provider and region details under NDA.

FAQ

Where is data stored?

Managed PostgreSQL with document blobs in object storage. Region selection per tenant where the provider supports it. Specific providers and regions are shared under NDA.

What MFA factors are supported?

TOTP only — no SMS, no email backup. 10 single-use, cryptographically generated recovery codes per user.

Can we run a penetration test?

Yes. Coordinate with us first; we'll schedule, scope, and share results.