Security and compliance are important to Finix. We are committed to building and maintaining the highest security and compliance standards for our payments platform. This document covers both security and compliance standards and procedures.
If you have any questions or concerns, please contact Finix at firstname.lastname@example.org.
Finix is certified as a Level 1 Payment Card Industry Data Security Standards (PCI DSS) compliant service provider. Level 1 is the highest form of PCI compliance validation that can be obtained by a service provider storing, processing, and/or transmitting payment card data. As part of our commitment to the PCI DSS, Finix complies with the annual requirement of an independent data security assessment performed by a Qualified Security Assessor (QSA). Our most recent PCI Attestation of Compliance (AoC) is available by request under a signed non-disclosure agreement with Finix.
SOC 2 - Type 2 compliance
Established by the American Institute of Certified Public Accountants (AICPA), SOC (System Organization Controls) 2 defines a standardized set of risk-based control objectives designed for any Software as a Service (SaaS) company that stores, transmits, and/or processes customer data in the cloud. SOC 2 - Type 2 refers to an auditor’s report that measures the operating effectiveness of a company’s internal controls over a defined period of time. Our most recent SOC 2 - Type 2 report, relevant to the domains of security, availability, and confidentiality of data, is available by request under a signed non-disclosure agreement with Finix.
Finix uses HTTPS connections for all of our services, including our APIs and Dashboard. Our API endpoints are configured to reject HTTP connections, same as the authentication service, Auth0 for the front-end dashboard. Finix uses a Transport Security Layer (TLS) and Secure Sockets Layer (SSL) to securely transport and transmit data. TLS and SSL are important as they help prevent payment card details and personally identifiable information (PII) from being exposed while in transit over an internet connection.
Encrypt sensitive data at rest
All customer data is encrypted at rest using complex cryptographic algorithms. As an added layer of protection, customer data is encrypted both client-side by Finix and server-side by the cloud-hosted database provider. Sensitive data is never rendered in plain-text and access to encryption keys is restricted to authorized Finix personnel responsible for securing, operating, and maintaining the platform.
Tokenize payment cards
Tokenization is the process of replacing sensitive data, such as credit card numbers, with non-sensitive strings of data that can be authenticated, decrypted, and translated by a token provider. When transacting with the Finix Gateway, we tokenize all payment card data and store the actual encrypted card values in a secure PCI compliant vault.
In addition to the procedures and processes listed above, Finix undergoes recurring vulnerability scanning and penetration testing performed by an Approved Scanning Vendor (ASV). All material findings are documented, reviewed, and remediated within 30 days of discovery.
A PGP key is used to encrypt sensitive data such as credit card information. Below is Finix's public PGP key.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
-----END PGP PUBLIC KEY BLOCK-----