At Fin, we recognize that our success is deeply tied to your trust in us and our ability to keep the information you share with us secure.
Fin does not require access to the personal data of your customers in order to provide services to you. Any personal data of your customers that you chose to pass on to Fin, and some of the personal data of your employees (referred to herein as “agents”), will be captured in recordings (which are an optional feature).
Outside of recordings, the only personal data we collect through metrics are: agent's name, agent's relationship to you (our customer), agent's IP address, agent's performance benchmarking, and agent's browsing history.
Twice a year we have an independent, third-party security group conduct a penetration test. In addition to our own annual internal audit, we have an independent, third-party security group perform an annual audit of our security practices.
Furthermore, we periodically test and audit our code and application to look for potential security issues.
You may do your own testing of our client software and publicly available interfaces if you would like, but we ask that you don’t do any load testing, probing for Denial of Service (DOS) type vulnerabilities, or recurring scripting of our API’s.
We cannot grant clients access to our system internals or source code for white box penetration testing. If you do find any issues, we ask that you disclose them responsibly.
You may email us with any findings or questions at email@example.com.
When agents use the video screen recording feature of Fin, they may view sensitive / personal customer information in the CRM, internal tools, or other applications they have open on the screen. Because Fin has no way to automatically detect which videos contain sensitive / personal customer information vs which do not, Fin treats every video as if it contains personal data and/or electronic protected health information under HIPAA. Fin is happy to enter into a BAA with customers who are covered entities.
To minimize personal health information collection, you can set up automatic video redaction of potentially sensitive recording. If you know there are certain websites where you never want video recorded, you can create a rule with URL pattern where every time someone visits that site matching that pattern the video is automatically redacted.
By default, we will store your audio and video recordings on our server for 14 days. This is configurable upon request, and subject to the terms of your Enterprise Subscription Agreement.
After the data retention period expires, it will be queued for permanent deletion. We keep information which you provide to us outside of recordings until you request deletion or in accordance with the terms of any data processing agreement which we enter into with you. You can reach out to us through your account rep, firstname.lastname@example.org, or at email@example.com if you wish to permanently delete all data associated with your account.
Fin also allows you to set up URL pattern based blacklists, meaning that if a user’s browser is on a URL you have added to the blacklist, the recording will not be uploaded to Fin. If you realize after the fact that sensitive information was visible in a recording, you can delete that recording from the dashboard.
Create a new bucket in your AWS environment with the following REQUIRED settings. (We’ll refer to the name of this bucket as __BUCKET_NAME__.)
NB. Make sure to correctly configure these require settings on bucket creation, since you’ll have to reach out to AWS support to change these settings for an existing bucket (or potentially delete and recreate your bucket).
NB. Changes made to your Fin default retention settings will not be reflected in objects that have already been uploaded to your bucket; eg, if your retention settings are set to 14 days, when a recording is uploaded, its expiration will be set to 14 days from the time of upload. If you subsequently change your Fin retention settings to 7 days, the expiration for the object previously uploaded to your bucket will NOT change to reflect the shorter retention window.
FNB. You MUST include the required statements from the Example S3 Policies for Customer-Managed Fin Recording Data Buckets: Example Bucket Policy with AES256 Encryption.
Customers who store video assets in an S3 bucket on their own AWS account can limit access to these videos using an IP address whitelist. See these instructions from AWS and the Example Bucket Policy with AES256 Encryption and IP Address Whitelisting for more detail.
Versioning: enabled and Object lock: enabled.
We store the audio and video recordings you share with us on AWS S3. When stored on disk they are encrypted using industry-standard AES-256 encryption. When they are in transit, (such as when you upload or play back a recording) we transmit your data over HTTPS using certificates from valid public CAs. Data in transit is sent using HTTPS using certificates from valid public CAs.
Connections will use the strongest available encryption that your browser supports. We also use HSTS headers to ensure your browsers will only attempt to communicate with Fin over an encrypted connection.
Within our infrastructure, all communication happens over a virtualized private network (AWS VPC), meaning no data will travel over the public internet unencrypted.
Employees at Fin do NOT have the ability to log into our site as your organization or access your audio and video recordings, unless you explicitly create an account for us to grant us access (for example, for help configuring your settings or help diagnosing a bug or performance issue that only you are seeing).
Within our backend systems only select members of the security team have access to the S3 buckets we use to store your recordings and security team members are NOT permitted through our policies to access your recordings unless explicitly requested by a customer. In the event a security team member accesses a recording, the access is logged and the entire security team is alerted. Other members of the security team review the logs to ensure compliance. Engineers working on the application code use IAM roles that do NOT permit them to access recordings.
While the application itself needs a role that has access to these videos in order to run, all code is reviewed by another engineer before being deployed and all changes are logged.
You can choose to block Members from viewing their recordings, event data, and personal dashboards.
You can choose to limit on Admin, Manager, or Viewer’s access so that they can only see the recordings of users with certain tags and/or users that report to them and their reports
Managers CANNOT change the role of another user to or from Admin