Finsyght logoFinsyght

    Security & Data Protection

    Finsyght is built with security and transparency as core principles. Here is exactly how we protect your data and your connected ad accounts.

    Encryption in Transit & at Rest

    All data is encrypted in transit using TLS 1.2+. OAuth access and refresh tokens are encrypted at rest using AES-256. Passwords are hashed with bcrypt (cost factor 12+) — plaintext passwords are never stored.

    OAuth-Only Platform Access

    Finsyght connects to Google and Meta using official OAuth 2.0. We never ask for or store your Google or Meta password. You can revoke access at any time from your Google Account or Meta settings.

    Read-Only API Access

    Finsyght requests read-only permissions. We access your ad performance metrics to display in your dashboard. We never create, edit, pause, or delete campaigns, budgets, or any other settings in your connected accounts.

    Data Isolation & Ownership

    Each account's data is strictly isolated. Your data is never shared with other users or used for cross-account analysis. You own your data and can request deletion at any time. We fulfill deletion requests within 30 days.

    Security Reviews

    We conduct periodic security reviews of our infrastructure, dependencies, and access controls. Critical dependencies are kept updated. We monitor for known CVEs in our stack.

    Secure Infrastructure

    Finsyght is hosted on cloud infrastructure with network-level isolation, automated backups, and access restricted by role-based permissions. Database credentials are not stored in application code.

    Technical Security Controls

    TLS 1.2+ for all data in transit
    AES-256 encryption for stored OAuth tokens
    bcrypt (cost 12+) for password hashing
    HTTPS-only — HTTP requests are redirected
    HTTP security headers (HSTS, CSP, X-Frame-Options)
    OAuth CSRF protection via state nonce (cached server-side)
    Input validation on all API endpoints
    Rate limiting on authentication endpoints
    Role-based database access controls
    No credentials or secrets in application code

    Responsible Disclosure Policy

    We take security vulnerabilities seriously. If you discover a security issue in Finsyght, we ask that you report it to us privately before disclosing it publicly.

    How to report:

    Email security@finsyght.app with a description of the vulnerability, steps to reproduce, and your contact information.

    Our commitments:

    • We will acknowledge your report within 3 business days.
    • We will investigate and aim to resolve critical vulnerabilities within 30 days.
    • We will not pursue legal action against researchers who follow this policy.
    • We will credit you in our security acknowledgements (if you wish) once the issue is resolved.

    Scope:

    finsyght.app and admin.finsyght.app (production). Please do not test against other users' accounts or attempt to access data that is not yours.

    Out of scope:

    Social engineering, physical attacks, denial of service, and vulnerabilities in third-party services (Google, Meta) that we do not control.

    Compliance & Data Rights

    Finsyght is designed with GDPR and CCPA principles in mind. Specific commitments include:

    • Data minimization: we request only the permissions needed to operate the dashboard.
    • Purpose limitation: Google and Meta data is used only to display your Finsyght dashboard.
    • Retention limits: ad performance data is deleted after 24 months; tokens are deleted within 48 hours of disconnection.
    • Right to erasure: we honor all deletion requests within 30 days. See our Data Deletion page.
    • No data sales: we never sell user data or ad performance data to third parties.

    For Google API data specifically, see our Google Data Use Disclosure.

    Security Contact

    Security vulnerabilities: security@finsyght.app

    Privacy requests: privacy@finsyght.app

    Data deletion: finsyght.app/data-deletion

    Book a Demo