How Finsensa protects your data and your clients' data
All data transmitted between your browser and Finsensa is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints. Connections over plain HTTP are rejected.
Client financial data, documents, and generated credit packs are encrypted at rest using AES-256 encryption. Encryption keys are managed separately from the data they protect.
Access to your account and your clients' data is controlled by authenticated sessions with short-lived tokens. Each firm's data is logically isolated — no cross-tenant data access is possible by design. Our team's internal access to production data is restricted on a least-privilege basis and logged.
Finsensa uses read-only Open Banking connections. We never receive or store your clients' banking credentials. Bank connections are established through FCA-regulated Open Banking providers and can be revoked by your client at any time through their banking app.
Case data is retained for as long as your account is active. You can delete individual cases or request full account deletion at any time. Deleted data is purged from backup systems within 30 days.
In the event of a security incident that affects your data, we will notify affected users within 72 hours in line with UK GDPR requirements. We will provide a clear description of what happened, what data was affected, and what steps we are taking.
If you discover a security vulnerability in Finsensa, please report it responsibly to security@finsensa.com. We will acknowledge your report within 48 hours and keep you updated on our response. We do not pursue legal action against good-faith security researchers.
For security questions or concerns: security@finsensa.com