Back to Home

Security

Last updated: February 2026

1. Our Commitment

At Finquill, Inc., the security of your data is our top priority. We employ industry-leading security practices to ensure that your personal information, research data, and financial information remain protected at all times. Security is embedded into every layer of our platform — from infrastructure to application to operations.

2. Infrastructure Security

Our infrastructure is designed with defense-in-depth principles:

  • All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
  • Infrastructure is hosted on SOC 2 Type II certified cloud providers
  • Network access is restricted through firewalls, private networking, and IP allowlisting
  • Regular penetration testing and vulnerability assessments conducted by independent third parties
  • Automated monitoring, intrusion detection, and real-time alerting for suspicious activity
  • DDoS protection and rate limiting on all public-facing endpoints
  • Database backups are encrypted and stored in geographically separated regions
  • Infrastructure-as-code practices ensure consistent, auditable deployments

3. Authentication & Access Control

  • Secure authentication powered by Supabase with support for multi-factor authentication (MFA)
  • Row-level security (RLS) policies ensure users can only access their own data
  • API keys and sensitive credentials are encrypted using industry-standard algorithms before storage
  • Session management with automatic expiration, refresh token rotation, and anomaly detection
  • Role-based access control (RBAC) for administrative functions with audit logging
  • OAuth 2.0 and secure token-based authentication for third-party integrations
  • Brute-force protection with automatic account lockout after repeated failed login attempts

4. Data Protection

Your portfolio data, watchlists, journal entries, and research notes are stored securely with strict access controls:

  • All user data is logically isolated using row-level security policies
  • Sensitive fields (API keys, wallet addresses) are encrypted at the application level before database storage
  • We do not sell or share your personal data with third parties for marketing purposes
  • AI model inputs are processed in real-time and are not persisted beyond what is necessary to deliver the service
  • Personally identifiable information (PII) is minimized in AI provider requests
  • Data deletion requests are honored within 30 days, with cryptographic erasure of encryption keys

5. Application Security

  • Security-first development practices with code review requirements for all changes
  • Automated static analysis and dependency vulnerability scanning in CI/CD pipelines
  • Input validation and sanitization to prevent injection attacks (SQL injection, XSS, CSRF)
  • Content Security Policy (CSP) headers and other HTTP security headers enforced
  • Regular dependency updates and automated alerts for known vulnerabilities
  • Secure handling of file uploads with type validation and malware scanning

6. Employee & Internal Access

Access to production systems and customer data is limited to authorized personnel on a need-to-know basis. All internal access requires multi-factor authentication and is logged in our audit system. Employee access is reviewed regularly and revoked promptly upon role changes or offboarding. All team members receive security awareness training.

7. Third-Party Vendor Security

We carefully evaluate the security posture of all third-party services integrated into our platform. Key vendors (AI model providers, payment processors, cloud infrastructure, market data providers) are selected based on their security certifications, compliance frameworks, and data handling practices. We maintain a vendor risk assessment process and require that critical vendors adhere to appropriate security standards.

8. Business Continuity & Disaster Recovery

We maintain business continuity and disaster recovery plans to ensure service availability. Our infrastructure is designed for high availability with automated failover capabilities. Database backups are performed continuously with point-in-time recovery support. Recovery procedures are tested regularly to ensure they meet our recovery time objectives.

9. Incident Response

We maintain a comprehensive incident response plan that includes:

  • 24/7 automated monitoring with escalation procedures for detected anomalies
  • Defined incident severity levels with corresponding response timelines
  • Notification of affected users within 72 hours of a confirmed data breach, in accordance with applicable regulations
  • Post-incident review and remediation to prevent recurrence
  • Coordination with law enforcement when required

10. Compliance

We are committed to complying with applicable data protection and privacy regulations, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other relevant frameworks. Our security practices are aligned with industry standards including SOC 2 and OWASP guidelines. We regularly review and update our practices to stay current with evolving regulatory requirements and threat landscapes.

11. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us:

  • Email: sechrllonquill.ai
  • Please include a detailed description of the vulnerability and steps to reproduce
  • Allow us reasonable time to investigate and remediate before public disclosure
  • Do not access, modify, or delete other users' data during your research

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days. We do not pursue legal action against researchers who act in good faith and comply with this policy.

12. Contact

For security-related inquiries, please contact us at:

Finquill, Inc.

Email: hello@finquill.ai