Security
We take the security of your financial data seriously. Here’s how we protect it and what you can expect.
Overview
Finn is built to handle sensitive financial information safely. We use encryption, read-only access to your accounts, and trusted partners so you can get insights without compromising your security. This page summarizes how we protect your data; for full legal and compliance details, see Legal Overview and our Privacy Policy.
How we protect your data
Encryption
- Data in transit: All data moving between your device and our systems is encrypted with TLS (e.g. TLS 1.3).
- Data at rest: Sensitive data is encrypted at rest using strong encryption (e.g. AES-256) so it stays protected in our systems.
- Keys: We use secure key management and rotation so encryption keys are stored and used safely.
Access and infrastructure
- Access controls: Access to your data is limited to what’s needed to run the service. We use role-based access and regular reviews.
- Authentication: Where we manage accounts, we support strong authentication (e.g. multi-factor) to reduce the risk of unauthorized access.
- Monitoring: We monitor our systems for suspicious activity and have processes to respond to security incidents.
What we don’t do
- We do not store your bank or card login credentials. You connect through secure, industry-standard flows (e.g. OAuth or aggregator-hosted login); credentials stay with your bank or our aggregation partners.
- Finn has read-only access to your financial data. We cannot move money, make payments, or change your account settings.
AI and data flow
How we use AI
We use AI only to communicate with you—to power the conversational experience (e.g. answering questions, summarizing spending, and explaining your finances). Your data is not used to train third-party models or sent to external AI providers for that purpose. We host our own AI models that interact with you, so your conversations and financial context stay within our controlled infrastructure.
How your data moves
- API to database: Your data is securely transferred over TLS via our APIs and stored in our Postgres database. We do not persist your data in third-party AI or analytics systems beyond what’s needed to run the service.
- Supabase (Postgres and backend): We use Supabase for our database and related backend services. Supabase provides:
- Encryption: Data encrypted at rest (AES-256) and in transit (TLS). Sensitive items like access tokens and keys are encrypted at the application level before storage.
- Compliance: Supabase is SOC 2 Type 2 compliant and regularly audited; you can read more at Security at Supabase.
- Infrastructure controls: Role-based access control, multi-factor authentication for accounts, daily backups for paid databases (with Point-in-Time Recovery available), DDoS protection (e.g. via CDN and brute-force prevention), and vulnerability management including regular penetration testing and automated scanning.
- AWS (AI and locked environment): Our AI models and related workloads run on AWS in a locked-down environment that is only accessible by our team. We use strict access controls, network isolation, and least-privilege permissions so your data is processed only within this controlled environment.
Bank connections
Your bank and card connections are handled by trusted aggregation partners. We use Quiltt, which works with providers such as Finicity (Mastercard Open Banking) and MX. These partners:
- Connect to your institution through secure, API-based flows
- Are used by thousands of financial apps and institutions
- Maintain certifications such as SOC 2 Type II and PCI compliance where applicable
We never see or store your banking username or password. For more detail, see Bank Connections and the “How we connect” and “Security & Privacy” sections there.
Messaging channel security
Finn reaches you over the same messaging apps you already use: iMessage (Apple), WhatsApp, and RCS (e.g. Google Messages). We don’t run our own messaging network—we use these providers to send and receive messages securely. Here’s how each channel protects your conversations, with links to the providers’ own security documentation.
iMessage (Apple)
When you use Finn over iMessage:
- End-to-end encryption: Messages and attachments are encrypted so only you and the recipient can read them. Apple states that it does not store message content or attachments and cannot decrypt them. Encryption is built in; there is no way to turn it off.
- Keys: Your device generates encryption and signing keys; public keys are registered with Apple’s Identity Directory Service (IDS) so messages can be delivered. Private keys stay on your device.
- Extra protections: Apple uses BlastDoor sandboxing in the Messages app to limit the impact of malicious content, and offers Contact Key Verification (iOS 17+) so you can confirm you’re talking to the right person. Lockdown Mode is available for users who need stronger protection against targeted attacks.
- Storage: With a passcode or password set, messages on device are encrypted and not accessible without unlock. iCloud Backup of messages can be encrypted when you use iCloud Backup or Messages in iCloud.
For full technical details, see Apple’s iMessage security overview and How iMessage sends and receives messages in the Apple Platform Security guide.
When you use Finn over WhatsApp:
- End-to-end encryption: WhatsApp uses end-to-end encryption by default for chats, calls, and media. Only you and the person you’re messaging can read or hear the content; WhatsApp and third parties cannot access it. Encryption is always on and cannot be disabled.
- Signal Protocol: Encryption is based on the Signal Protocol (designed by Open Whisper Systems). It uses strong key exchange and forward secrecy so that even if keys are compromised later, previously sent messages cannot be decrypted.
- Scope: Encryption covers one-on-one and group messages, photos, videos, voice messages, documents, status updates, and voice and video calls.
WhatsApp publishes a technical whitepaper and maintains a Security page with more on how they protect your data.
RCS (e.g. Google Messages)
When you use Finn over RCS (such as in Google Messages):
- End-to-end encryption when available: When both you and your contact use Google Messages with RCS chats turned on, conversations can use end-to-end encryption by default. In that case, only the devices in the conversation have the keys; Google and others cannot read the content. You can verify encryption in the conversation details.
- TLS when E2E isn’t in use: RCS chats via Google use Transport Layer Security (TLS) so that messages in transit are encrypted even when end-to-end encryption is not active (e.g. when the other party uses a different app or RCS is off).
- How RCS works: RCS (Rich Communication Services) is an industry standard (e.g. GSMA); your RCS service may be provided by Google or your carrier. Messages are sent over the internet. When E2E is active, keys are on the devices and messages are encrypted in transit.
- SMS/MMS: If you send or receive as SMS or MMS (e.g. “Text message” in Google Messages), those go through your carrier and are not end-to-end encrypted by Finn or Google. We recommend using RCS or another E2E-capable channel when possible for sensitive conversations.
For more, see Google’s How RCS chats keep your conversations secure and Use end-to-end encryption in Google Messages.
Summary
| Channel | End-to-end encryption | Official security info |
|---|---|---|
| iMessage | Yes, by default; Apple cannot decrypt | Apple iMessage security |
| Yes, by default (Signal Protocol); always on | WhatsApp Security, E2E encryption | |
| RCS (Google Messages) | Yes, by default when both use Google Messages with RCS; otherwise TLS in transit | RCS security, E2E in Messages |
We rely on these providers to secure the transport of your messages. Our own systems then protect your data as described in How we protect your data and AI and data flow.
Compliance & standards
We align with industry and regulatory expectations so you can trust how your data is handled:
- Financial privacy: We follow applicable financial privacy laws (e.g. GLBA-style safeguards) and disclose our practices in our Privacy Policy.
- Data protection: We respect regulations such as GDPR, CCPA, and other applicable data protection laws.
- Industry standards: We work toward or maintain standards such as SOC 2 Type II, PCI DSS where relevant, and follow security best practices (e.g. NIST-style controls) where appropriate.
Our Legal Overview has a more detailed compliance summary and status.
Your control
You stay in control of your data:
- Disconnect anytime: You can disconnect bank accounts, Gmail, or other linked services at any time from your account or app.
- Delete your data: You can request deletion of your account and associated data in line with our Privacy Policy.
- Transparency: We document what we collect and how we use it in our Privacy Policy and Terms of Service.
Learn more
| Topic | Where to read |
|---|---|
| Privacy and data use | Privacy Policy |
| Legal and compliance | Legal Overview |
| Bank connection security | Bank Connections |
| Terms of use | Terms of Service |
| Database and platform security (Supabase) | Security at Supabase |
| iMessage security (Apple) | iMessage security overview |
| WhatsApp security | WhatsApp Security, E2E encryption |
| RCS / Google Messages security | How RCS chats keep conversations secure, E2E encryption |
If you have a security concern or want to report something, contact us through the app or your usual support channel.