Security Fin Analytics

Security

At Fin, we recognize that our success is deeply tied to your trust in us and our ability to keep the information you share with us secure. This document is an overview of some of the approaches we take along with the customizable settings available to help you control your data. Feel free to follow up with our security team at security@finxpc.com for more details or if you have any questions or concerns.

Certifications and Compliance With Security Standards

Fin has completed the following compliance work:

  • SOC 2 Type 1 (report available for customers upon request under NDA)
  • Compliance with the requirements of a business associate under HIPAA (BAA available upon request)
  • GDPR compliance as a data processor
  • Support for customers with PCI compliance requirements
  • 3rd Party Pen Testing (report available upon request under NDA)

Software Testing

In Jul 2019, we had a formal, independent, third-party security group perform an audit of our security practices and conduct a penetration test. In addition, we periodically test and audit our code and application to look for potential security issues.

You may do your own testing of our client software and publicly available interfaces if you would like, but we ask that you don’t do any load testing, probing for Denial of Service (DOS) type vulnerabilities, or recurring scripting of our API’s. We cannot grant clients access to our system internals or source code for white box penetration testing. If you do find any issues, we ask that you disclose them responsibly. You may email us with any findings or questions at security@finxpc.com.

Data Storage and Transmission

All of the data you send us is encrypted both at rest and in transit.

We store the audio and video recordings you share with us on AWS S3. When stored on disk they are encrypted using industry-standard AES-256 encryption. When they are in transit, (such as when you upload or play back a recording) we transmit your data over HTTPS using certificates from valid public CAs. Connections will use the strongest available encryption that your browser supports, which on modern versions of Google Chrome is currently TLS 1.2 with an ECDHE RSA key exchange and AES_128_GCM ciphersuite. We also use HSTS headers to ensure your browsers will only attempt to communicate with Fin over an encrypted connection.

Within our infrastructure, all communication happens over a virtualized private network (AWS VPC), meaning no data will travel over the public internet unencrypted.

Data Retention

By default, we will store your audio and video recordings on our server for 14 days. This is configurable upon request, and subject to the terms of your Enterprise License Agreement.

After the data retention period expires, it will be queued for permanent deletion.

Other information you share with us is stored for as long as we need it to provide you with our service. You can reach out to us if you wish to permanently delete all data associated with your account.

Fin’s Access to Your Data

Employees at Fin do NOT have the ability to log into our site as your organization or access your audio and video recordings, unless you explicitly create an account for us to grant us access (for example, for help configuring your settings or help diagnosing a bug or performance issue that only you are seeing).

Within our backend systems only the security team has access to the S3 buckets we use to store your recordings. Security team members are NOT permitted through our policies to access your recordings, and all is logged and reviewed by other members of the team. Engineers working on the application code use IAM roles that do NOT permit them to access recordings. While the application itself needs a role that has access to these videos in order to run, all code is reviewed before being deployed and all changes are logged. Any unusual use of this production role — such as someone on the site reliability team trying to manually assume it to run non-reviewed code and access a video — will trigger an alert, letting the security team know about the access to the role.

HIPAA Compliant Storage of Video Assets with Fin

When agents use the video screen recording feature of Fin Analytics, they may view sensitive / personal customer information in the CRM, internal tools, or other applications they have open on the screen. Because Fin has no way to automatically detect which videos contain sensitive / personal customer information vs which do not, Fin treats every video as if it contains personal data and/or electronic protected health information under HIPAA.

In addition, as noted above: we store all video/audio assets in a completely sandboxed environment, where only our security team can make infrastructure changes:

Security Diagram

  • No one at Fin can view recordings unless you explicitly grant us permission to do so for the purposes of debugging;

  • We ensure end-to-end encryption of video / audio data in flight and at rest;

  • We offer granular access controls you can use to configure on your team who can view videos; and

  • We also maintain audit logs (including IP addresses and user ids) for all operations on video data (upload, view, delete, etc) and automatically alert the security team whenever it appears someone outside of your organization access a recording.

We recently rolled out a new feature that allows customers to store recordings on their own AWS S3 servers. By doing this you would have control over who has access to the data, including the Fin analytics app, and would be able to shut off Fin’s access at any time.

You can also setup automatic video redaction of potentially sensitive recording. If you know there are certain websites where you never want video recorded, you can create a rule with url pattern where every time someone visits that site matching that pattern the video is automatically redacted.

How to Store Video Assets in a Customer Owned S3 Bucket

Although screen video storage with Fin is setup to meet stringent security and privacy requirements (including HIPAA), some customers prefer storing video assets in their own AWS environment.

The architecture for this setup is similar to how Fin stores video assets in a completely sandboxed AWS account:

Customer S3 Diagram

Under this configuration, the customer creates an S3 bucket in their own AWS environment and uses S3 bucket configuration to grant access to the Fin AWS role to perform the necessary operations on this bucket for video upload, playback, and deletion.

Customers can follow these instructions for configuring their own bucket for storage of Fin recordings.

Create a new bucket in your AWS environment. We’ll refer to the name of this bucket as __BUCKET_NAME__.

Enable versioning and object lock when creating a new bucket. This is important to get right the on bucket creation, since you’ll have to reach out to AWS support to enable object lock on an existing bucket.

Set bucket default encryption to be AES-256.

2. Use IAM to Grant Fin Permission to Upload and Play Videos from this Bucket

Set the following bucket policy (nb: replace __BUCKET_NAME__ with actual bucket name):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccessFromFinBackend",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::478286987856:root" // 478286987856 is the id for the Fin AWS account. Make sure to get this exactly right.
      },
      "Action": [
        "s3:ListBucket", // so Fin can list videos in bucket
        "s3:ListBucketVersions", // for audit logging reports
        "s3:GetObject", // for video playback via presignedURLRequests from the Fin Analytics website
        "s3:DeleteObject", // so admins on your Fin account can delete videos from the Fin Analytics website
        "s3:DeleteObjectVersion", // so admins on your Fin account can delete videos from the Fin Analytics website
        "s3:BypassGovernanceRetention" // so admins on your Fin account can delete videos from the Fin Analytics website
      ],
      "Resource": ["arn:aws:s3:::__BUCKET_NAME__", "arn:aws:s3:::__BUCKET_NAME__/*"]
    },
    {
      "Sid": "AllowFinVideoUploadFromFinAuthenticatedCognitoUser",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::478286987856:root"
      },
      "Action": [
        "s3:PutObject", // so agents using Fin Chrome extension can upload with Cognito credentials
        "s3:PutObjectAcl", // so agents using Fin Chrome extension can upload with Cognito credentials
        "s3:PutObjectRetention" // so agents using Fin Chrome extension can upload with Cognito credentials
      ],
      "Resource": "arn:aws:s3:::__BUCKET_NAME__/${cognito-identity.amazonaws.com:sub}/*"
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::__BUCKET_NAME__",
        "arn:aws:s3:::__BUCKET_NAME__/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256" // require encryption
        }
      }
    },
    {
      "Sid": "DenyImproperAclObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": ["arn:aws:s3:::__BUCKET_NAME__", "arn:aws:s3::__BUCKET_NAME__/*"],
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control" // require uploads to match customer desired ACL
        }
      }
    }
  ]
}

PCI Compliance

We are set up to help you comply with PCI DSS requirements when recording video or audio that contains cardholder data. Recordings are encrypted at rest and in transit, are not queryable, and can be deleted (or set to delete) at any time. You have control over who can access the recordings, and can review access logs (which include IP addresses). You can also require employees who access videos to use separate user IDs and passwords along with multi-factor authentication. And you can block certain videos from being recorded by setting up URL pattern based blacklists.

You can learn more about maintaining PCI compliance while recording cardholder data here.

Configurable Access Controls

We enable you to limit the permissions each user in your organization has by assigning them roles based on the kind of data they are allowed to access.  We currently offer three roles: Member, Manager, and Admin.

Members can only see their own data on the site. This includes their own recordings, along with any events generated by their use of the extension.  Admins can choose to disable this and block Members from accessing their own recordings.

Managers can see recordings and event data for anyone in the organization, but they can’t change the global settings for your organization. You can choose to set up a Manager’s direct reports within our system, and can limit their access so that they can only see the recordings of their direct reports.

Admins can see all data, including recordings, and configure all settings for the organization.

Whenever users (of any role) access a recording on the site, that access is logged. These logs are available to customers upon request.

You can revoke access to users who no longer need it by deleting them. By default, deleted users are “soft-deleted”, meaning we expire their sessions and no longer allow them to log in, but we do not delete any of the data they’ve already uploaded so it is still available to you. If you want to permanently delete a user’s data, you can do so from the dashboard.

Blocking Videos from Being Recorded

Fin Analytics also allows you to set up URL pattern based blacklists, meaning that if a user’s browser is on a URL you have added to the blacklist, the recording will not be uploaded to Fin Analytics. If you realize after the fact that sensitive information was visible in a recording, you can delete that recording from the dashboard.

Contact the Security Team

You may contact our security team at security@finxpc.com for more details or if you have any questions or concerns about this document.


GET STARTED WITH FIN ANALYTICS

Fin Analytics gives your team ‘full funnel’ insights into your team’s work. Continuous live video and action logging you get the insights you need to provide better coaching and training, and the analytics you need to know where to focus process and engineering resources

We are happy to share with you industry specific case studies, and give you a custom walkthrough of the tool, or you can review our