Security
Month-end actuals are board-material data. We treat them that way.
P&L actuals, budget-vs-actual variances, and working capital figures are material non-public financial information for many organizations. This page explains how Finwren handles that data — for FP&A analysts, CFOs, and the IT and compliance teams who evaluate vendor access before onboarding.
Architecture
Three principles, enforced at the infrastructure level
Data Isolation
Each analysis session runs in an isolated compute context. Your actuals are not co-mingled with another organization's data. Tenant isolation is enforced at the infrastructure level — not just in application logic.
Encryption in Transit
All data transmitted between your browser and Finwren is encrypted using TLS 1.3. Older protocol versions (TLS 1.0, 1.1, SSLv3) are rejected at the connection layer. Certificate infrastructure follows current CA/Browser Forum Baseline Requirements.
No Persistent Storage
Uploaded financial data is not retained after your session ends. There is no long-term data lake of your actuals, no background retention for model improvement. The analysis output exists in your active session and in any exports you generate — nowhere else.
Compliance posture
Designed for financial-data environments
These are design-level commitments, not formal audit attestations. Finwren has not completed a SOC 2 Type II examination. What follows describes how the architecture is designed — the controls in place and the intent behind them. IT reviewers evaluating vendor onboarding: contact us directly at [email protected] with any specific questions.
Designed with SOC 2 controls
Finwren's technical architecture is designed with reference to SOC 2 Trust Services Criteria — specifically the Security and Availability categories. This is a design-level commitment, not a formal attestation.
GDPR-ready data handling
For organizations with EU data subjects, Finwren's session-only data model is designed to minimize personal data exposure. No behavioral tracking or third-party advertising scripts are embedded in the product interface.
Access controls
Finwren uses least-privilege access controls for internal systems. No individual team member has unscoped access to customer session data. Access logging is active.
No AI training on your data
Your uploaded financial actuals are not used to train or fine-tune any machine learning model. The variance attribution engine runs inference — it does not learn from your specific data.
Responsible disclosure
Security questions and disclosures
If you have identified a potential security issue, or if you are conducting a vendor evaluation and need specific information about our data handling posture, reach out directly. We respond to every security inquiry personally.
Finwren
55 Water Street, Floor 28, New York, NY 10041