Security

Zero-Trust Architecture

FinkyAgents operates on a zero-trust model. We assume no implicit trust at any layer.
- **Read-Only by Default** — We only request Reader-level permissions when connecting to your Azure environment. We cannot modify your infrastructure unless you explicitly escalate permissions.
- **Human-in-the-Loop** — Agents draft fixes via Pull Requests or Work Items. No code or infrastructure changes happen without a human clicking "Approve."
- **Least Privilege** — Every integration, service account, and internal system follows the principle of least privilege. Access is scoped to the minimum required for each function.

Data Handling

What We Access

When you connect your Azure subscription, FinkyAgents reads configuration, resource metadata, and diagnostic data to run assessments and security scans. When you connect code repositories, we perform read-only analysis to generate recommendations.

AI & Customer Data

**We do not use Customer Content to train or improve generalized AI models.**
Your data is processed solely to deliver the service — assessments, explanations, and remediation suggestions. AI processing is transient; prompts and completions are not retained beyond what is necessary to serve your request.
Aggregated, anonymized telemetry may be used to improve platform reliability. This never includes customer source code, infrastructure configurations, or personally identifiable information.

Data Residency

Customer data is hosted in the **European Union (EU)**. All primary infrastructure, databases, and storage reside within EU Azure regions.

Data Retention

* Infrastructure logs - 90 days
* Application audit logs - 90 days
* Chat conversations - 90 days
* Assessment results - 90 days
* Security scan findings - 90 days
‍
After the retention period, data is automatically purged. Upon account termination, customer data is deleted within 30 days, subject to any legal retention obligations.

Data Deletion

You may request deletion of your data at any time by contacting security@finkyagents.ai. We will process deletion requests within 30 days and confirm completion.

Infrastructure Security

Cloud Provider

FinkyAgents runs entirely on **Microsoft Azure**, leveraging Azure's enterprise-grade security certifications, including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and CSA STAR.

Encryption

- **In Transit** — All data in transit is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject unencrypted connections.
- **At Rest** — All data at rest is encrypted using AES-256 encryption via Azure-managed and customer held encryption keys.

Network Security

- Strict Content Security Policy (CSP) headers
- HTTP Strict Transport Security (HSTS) with a minimum one-year max-age
- X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers enforced
- Cross-Origin policies (COOP, CORP) configured to prevent data leakage
- Permissions-Policy restricting access to camera, microphone, and geolocation

Environment Isolation

Each organization's data is separated at the application and storage level. No customer can access another customer's data, configurations, or scan results.

Application Security

Authentication

We support multiple secure authentication methods:
- **Passkeys** — Phishing-resistant, passwordless authentication using WebAuthn
- **Two-Factor Authentication (2FA)** — Available for all accounts
- **Magic Links** — Passwordless email-based login
- **Social Login** — OAuth-based sign-in via trusted identity providers
- **Password Authentication** — With enforced complexity requirements

Session Management

Sessions are managed with secure, HTTP-only cookies. Session tokens have a maximum lifetime and are invalidated on logout. Idle sessions expire automatically.

Secure Development

- All code changes go through peer review before merging
- Automated dependency scanning for known vulnerabilities
- Environment separation between development and production
- Secrets managed through secure vaults — never stored in source code
- Continuous integration and deployment pipelines with automated checks

Access Control

Internal Access

Access to production systems is restricted to authorized personnel only.
We enforce:
- Multi-factor authentication for all administrative access
- Role-based access control with least-privilege assignments
- Regular access reviews to remove unnecessary permissions
- Just-in-time access for elevated privileges when needed

Audit Logging

Every significant action is logged:
- Agent scans — what was analyzed, when, and by whom
- Findings and recommendations generated
- User actions — logins, permission changes, integration modifications
- Administrative operations — configuration changes, access grants
Audit logs are immutable and retained for 90 days. They are available for your review within the platform.

Subprocessors

We use the following third-party subprocessors to deliver the service:
- Microsoft Azure -  Infrastructure, database, email, analytics, monitoring
‍- Anthropic - AI model provider | Prompts and completions (transient)
‍- OpenAI - AI model provider | Prompts and completions (transient)
‍- Google - AI model provider | Prompts and completions (transient)
‍- Stripe - Payment processing | Billing and payment data

For AI model providers, we configure zero data retention where available. Prompts containing customer data are processed transiently and are not used to train third-party models. We evaluate the security posture of all subprocessors before onboarding and conduct periodic reviews. We will notify customers of material changes to subprocessors.

Incident Response

We maintain a documented incident response plan that covers identification, containment, eradication, recovery, and post-incident review.
- Detection — Automated monitoring and alerting across all infrastructure and application layers
‍- Response — Security incidents are triaged and responded to promptly by the engineering team -
- Notification — Customers affected by a confirmed security incident will be notified within 72 hours, in accordance with GDPR requirements
‍- Post-Incident — Root cause analysis is conducted for all incidents, with findings used to improve our security controls

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly to security@finkyagents.ai

When reporting, please include:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested remediation
‍
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Business Continuity

- Backups — Customer data is backed up regularly with automated processes. Backups are encrypted and stored in a separate Azure region within the EU.
- Disaster Recovery — We maintain documented disaster recovery procedures with defined recovery time and recovery point objectives.
- Availability — Our infrastructure is designed for high availability with redundant components and automated failover.

Customer Responsibilities

Security is a shared responsibility. We recommend that customers:
- Enable Two-Factor Authentication on all user accounts
- Rotate credentials regularly for any integrations connected to FinkyAgents
- Review audit logs periodically to monitor agent activity and user actions
- Apply least-privilege when granting FinkyAgents access to your Azure environment
- Report suspicious activity immediately to security@finkyagents.ai