It takes more than just saying “Bank-level security.”

Security

With team members from NCC Group, Palantir, and having a former security consultant as CEO, it’s not hyperbole to say that security is in our DNA.

Security is a core requirement of trust, not just a box to tick.

Security in our Organization

We recognize that social engineering can be the easiest backdoor to many systems, so we place as much emphasis on securing our people and processes as we do our technology. To accomplish that, we have comprehensive security policies, extensive training across our company, and external auditing of our practices.

  • We are PCI-DSS v3.1 compliant and apply PCI standards when dealing any cardholder information, including card numbers and associated billing data
  • All employees use two-factor authentication for both internal communication and access to Final systems
  • All employees undergo security training and use secure and encrypted communication
 channels for any sensitive information
  • Final maintains and regularly reviews logs of all system interaction and application behavior

Network and Servers

As a startup, building new means we can leverage technology that outperforms anything used in the past 30 years, taking into account best practices as they evolve.

  • We encrypt all network traffic and require TLS 1.2 with HSTS and forward secrecy for all internal and external network communications
  • We take a 'deny by default' approach to network security for both incoming and outgoing traffic
  • We segment the network so that each type of server is isolated from each other and that no sensitive systems are exposed directly to each other or the outside world
  • Only a few necessary servers have Internet access and in fact most servers have no Internet access nor Internet-routable IPs
  • Development and Production environments are isolated from each other with completely independent networks and no shared infrastructure
  • We believe in defense in depth and restrict access between services with both network-level and local firewall rules and software-level ACLs
  • Access to our secure network requires both cryptographic signature and multi-factor
authentication with all production shell access limited to administrators through a bastion host
  • Our infrastructure undergoes periodic internal security scans and penetration testing by third party security experts

Software

Security is a process, not a product, so we write all of our software with security at the forefront of our process.

  • All of our applications interact with the same publicly available API
  • We peer review all software and configuration changes for security, compliance, and performance implications prior to publishing new versions of our API or customer applications
  • We track security alerts for all of our software and take an aggressive approach to software patches
  • All customer data is stored encrypted at rest
  • We employ third party security experts for software vulnerability audits

Disaster Recovery

While we can’t predict the next earthquake or power outage, we can have a plan in place that ensures zero downtime and data loss.

  • All Final services and infrastructure components have redundancy across geographic areas
  • We follow strict failover and incident response policies in the event that any system has an error or goes down
  • We test disaster recovery failover at least quarterly
  • Audit trails and transaction logs allow us to reconstruct data in the event that a backup
system fails
  • Offsite backups of all data are taken through snapshots at a regular interval and stored securely

Security and Support

We’re here to help. If you have any questions or concerns about security, please contact us at support@getfinal.com.

Final’s team of support engineers is committed to providing you with the best experience possible. We’ll do our best to respond to any customer service or technical support issues efficiently and with care.

Reporting Vulnerabilities

Security vulnerabilities are an unfortunate but recognized issue in software. At Final we take them very seriously. We appreciate your help in notifying us of vulnerabilities in a responsible manner.

If you are a security researcher and have found a potential security vulnerability in our systems, please send details to security@getfinal.com.

PGP Keys

Matt Rothstein Final Co-Founder and CTO
Fingerprint A078 7621 C55E F348 63D3 4FD4 701F D966 5274 D790

Kyle Rankin Vice President, Engineering Operations
Fingerprint D663 9E99 7B05 1697 E06A 817E 7B97 044E BD77 0104