Security Fin Analytics

Security

At Fin, we recognize that our success is deeply tied to your trust in us and our ability to keep the information you share with us secure. This document is an overview of some of the approaches we take along with the customizable settings available to help you control your data. Feel free to follow up with our security team at security@finxpc.com for more details or if you have any questions or concerns.

Data Storage and Transmission

All of the data you send us is encrypted both at rest and in transit.

We store the audio and video recordings you share with us on AWS S3. When stored on disk they are encrypted using industry-standard AES-256 encryption. When they are in transit, (such as when you upload or play back a recording) we transmit your data over HTTPS using certificates from valid public CAs. Connections will use the strongest available encryption that your browser supports, which on modern versions of Google Chrome is currently TLS 1.2 with an ECDHE RSA key exchange and AES_128_GCM ciphersuite. We also use HSTS headers to ensure your browsers will only attempt to communicate with Fin over an encrypted connection.

Within our infrastructure, all communication happens over a virtualized private network (AWS VPC), meaning no data will travel over the public internet unencrypted.

Data Retention

By default, we will store your audio and video recordings in our server for 90 days. This is configurable by admins within your organization.

After the specified amount of time has passed since a recording gets created, it will be queued for permanent deletion.

Other information you share with us is stored for as long as we need it to provide you with our service. You can reach out to us if you wish to permanently delete all data associated with your account.

Fin’s Access to Your Data

Employees at Fin do not have the ability to log into our site as your organization and see your data, unless you were to explicitly create an account for us to grant us access (for example, for help configuring your settings or help diagnosing a bug or performance issue that only you are seeing).

Within our backend systems only the security team has access to the S3 buckets we use to store your recordings, and any access of the recordings is logged and reviewed by other members of the team. Engineers working on the application code have roles that do not permit them to access recordings. While the application itself needs a role that has access to these videos in order to run, all code is reviewed before being deployed and all changes are logged. Any unusual use of this production role — such as someone on the site reliability team trying to manually assume it to run non-reviewed code and access a video — will trigger an alert, letting the security team know about the unauthorized access.

Configurable Access Controls

We enable you to limit the permissions each user in your organization has by assigning them roles based on the kind of data they are allowed to access.  We currently offer three roles: Member, Manager, and Admin.

Members can only see their own data on the site. This includes their own recordings, along with any events generated by their use of the extension.  Admins can choose to disable this and block Members from accessing their own recordings.

Managers can see recordings and event data for anyone in the organization, but they can’t change the global settings for your organization. You can choose to set up a Manager’s direct reports within our system, and can limit their access so that they can only see the recordings of their direct reports.

Admins can see all data, including recordings, and configure all settings for the organization.

Whenever users (of any role) access a recording on the site, that access is logged. These logs are not yet made available in the application, but if you are concerned about unauthorized access within your organization you can always reach out to us for help.

You can revoke access to users who no longer need it by deleting them. By default, deleted users are “soft-deleted”, meaning we expire their sessions and no longer allow them to log in, but we do not delete any of the data they’ve already uploaded so it is still available to you. If you want to permanently delete a user’s data, you can do so from the dashboard.

Blocking Videos from Being Recorded

Fin Analytics also allows you to set up URL pattern based blacklists, meaning that if a user’s browser is on a URL you have added to the blacklist, the recording will not be uploaded to Fin Analytics. If you realize after the fact that sensitive information was visible in a recording, you can delete that recording from the dashboard.

Compliance With Security Standards

Our security program has been designed to enable us to comply with the business associate requirements under HIPAA. We’re now in the process of getting a SOC2 type 1 report done and expect that to be completed by June 2019, with the type 2 report to follow as soon as possible after that.

Software Testing

We periodically test and audit our code and application to look for potential security issues. We have also worked with external security consultants in the past to make sure we are meeting industry standard and current best practices.

We have not yet had a formal independent, third-party security audit, but we plan to do so in the near future.

You may do your own testing of our client software and publicly available interfaces if you would like, but we ask that you don’t do any load testing, probing for Denial of Service (DOS) type vulnerabilities, or recurring scripting of our API’s. We cannot grant clients access to our system internals or source code for white box penetration testing. If you do find any issues, we ask that you disclose them responsibly. You may email us with any findings or questions at security@finxpc.com.


GET STARTED WITH FIN ANALYTICS

Fin Analytics gives your team ‘full funnel’ insights into your team’s work. Continuous live video and action logging you get the insights you need to provide better coaching and training, and the analytics you need to know where to focus process and engineering resources

We are happy to share with you industry specific case studies, and give you a custom walkthrough of the tool, or you can review our