Fin Trust Center

At Fin, we recognize that our success is deeply tied to your trust in us and our ability to keep the information you share with us secure.

Fin does not require access to the personal data of your customers in order to provide services to you. Any personal data of your customers that you chose to pass on to Fin, and some of the personal data of your employees (referred to herein as “agents”), will be captured in recordings (which are an optional feature).

Outside of recordings, the only personal data we collect through metrics are: agent's name, agent's relationship to you (our customer), agent's IP address, agent's performance benchmarking, and agent's browsing history.

HIPAA
GDPR
ISO 27701 & 27001
SOC 2

Certifications and Compliance With Security Standards

Fin has completed the following compliance work and offers the following features

SOC2 Type 2 Certification by Coalfire

ISO 27001 and ISO 27701 Certification by Coalfire

GDPR Features

Third Party Penetration Testing

HIPAA Solutions

Configurable Data Retention

Blocking Content from Being Recorded

Storage Options for your most Sensitive Data

Data Encryption in Transit and at Rest

Fin's Access to Your Data

Configurable Access controls for your Employees,
Managers, and Admins

Software Testing

Twice a year we have an independent, third-party security group conduct a penetration test. In addition to our own annual internal audit, we have an independent, third-party security group perform an annual audit of our security practices.

Furthermore, we periodically test and audit our code and application to look for potential security issues.

You may do your own testing of our client software and publicly available interfaces if you would like, but we ask that you don’t do any load testing, probing for Denial of Service (DOS) type vulnerabilities, or recurring scripting of our API’s.

We cannot grant clients access to our system internals or source code for white box penetration testing. If you do find any issues, we ask that you disclose them responsibly.

You may email us with any findings or questions at security@fin.com.

HIPAA Compliant Storage of Video Assets with Fin

When agents use the video screen recording feature of Fin, they may view sensitive / personal customer information in the CRM, internal tools, or other applications they have open on the screen. Because Fin has no way to automatically detect which videos contain sensitive / personal customer information vs which do not, Fin treats every video as if it contains personal data and/or electronic protected health information under HIPAA. Fin is  happy to enter into a BAA with customers who are covered entities.

To minimize personal health information collection, you can set up automatic video redaction of potentially sensitive recording. If you know there are certain websites where you never want video recorded, you can create a rule with URL pattern where every time someone visits that site matching that pattern the video is automatically redacted.

Data Retention

By default, we will store your audio and video recordings on our server for 14 days. This is configurable upon request, and subject to the terms of your Enterprise Subscription Agreement.

After the data retention period expires, it will be queued for permanent deletion. We keep information which you provide to us outside of recordings until you request deletion or in accordance with the terms of any data processing agreement which we enter into with you. You can reach out to us through your account rep, privacy@fin.com, or at data@fin.com if you wish to permanently delete all data associated with your account.

Blocking Videos from Being Recorded

Fin also allows you to set up URL pattern based blacklists, meaning that if a user’s browser is on a URL you have added to the blacklist, the recording will not be uploaded to Fin. If you realize after the fact that sensitive information was visible in a recording, you can delete that recording from the dashboard.

Fin Service

1. Create an S3 Bucket in us-east-1 with Required Security Settings

Create a new bucket in your AWS environment with the following REQUIRED settings. (We’ll refer to the name of this bucket as __BUCKET_NAME__.)

{{highlight}}

{{highlight-2}}

{{highlight-3}}

NB. Make sure to correctly configure these require settings on bucket creation, since you’ll have to reach out to AWS support to change these settings for an existing bucket (or potentially delete and recreate your bucket).

NB. Changes made to your Fin default retention settings will not be reflected in objects that have already been uploaded to your bucket; eg, if your retention settings are set to 14 days, when a recording is uploaded, its expiration will be set to 14 days from the time of upload. If you subsequently change your Fin retention settings to 7 days, the expiration for the object previously uploaded to your bucket will NOT change to reflect the shorter retention window.

2. Use IAM to Grant Fin Permission to Upload and Play Videos from this Bucket

FNB. You MUST include the required statements from the Example S3 Policies for Customer-Managed Fin Recording Data Buckets: Example Bucket Policy with AES256 Encryption.

3. Limiting Access to Video Assets with an IP Address Whitelist

Customers who store video assets in an S3 bucket on their own AWS account can limit access to these videos using an IP address whitelist. See these instructions from AWS and the Example Bucket Policy with AES256 Encryption and IP Address Whitelisting for more detail.

REQUIRED SETTING.

Bucket default encryption: AES-256.

REQUIRED SETTING.

Region: us-east-1.

REQUIRED SETTING.

Versioning: enabled and Object lock: enabled.

Data Storage and Transmission

All of the data you send us is encrypted both at rest and in transit.

We store the audio and video recordings you share with us on AWS S3. When stored on disk they are encrypted using industry-standard AES-256 encryption. When they are in transit, (such as when you upload or play back a recording) we transmit your data over HTTPS using certificates from valid public CAs. Data in transit is sent using HTTPS using certificates from valid public CAs.

Connections will use the strongest available encryption that your browser supports. We also use HSTS headers to ensure your browsers will only attempt to communicate with Fin over an encrypted connection.

Within our infrastructure, all communication happens over a virtualized private network (AWS VPC), meaning no data will travel over the public internet unencrypted.

Fin’s Access to your Data

Employees at Fin do NOT have the ability to log into our site as your organization or access your audio and video recordings, unless you explicitly create an account for us to grant us access (for example, for help configuring your settings or help diagnosing a bug or performance issue that only you are seeing).

Within our backend systems only select members of the security team have access to the S3 buckets we use to store your recordings and security team members are NOT permitted through our policies to access your recordings unless explicitly requested by a customer. In the event a security team member accesses a recording, the access is logged and the entire security team is alerted. Other members of the security team review the logs to ensure compliance. Engineers working on the application code use IAM roles that do NOT permit them to access recordings.

While the application itself needs a role that has access to these videos in order to run, all code is reviewed by another engineer before being deployed and all changes are logged.

Configurable Access Controls

We enable you to limit the permissions each user in your organization has by assigning them roles based on the kind of data they are allowed to access. We currently offer four roles: Member, Viewer, Manager, and Admin.

Whenever users (of any role) access a recording on the site, that access is logged. These logs are available to customers upon request.

You can revoke access to users who no longer need it by deleting them. By default, deleted users are “soft-deleted”, meaning we expire their sessions and no longer allow them to log in, but we do not delete any of the data they’ve already uploaded so it is still available to you. If you want to permanently delete a user’s data, you can do so from the dashboard.

These roles enable the following actions:

members
viewers
managers
admins
Record Data
View own recordings
and event data
1
View recordings & event
data of other team members
2
2
2
View own personal dashboard
1
View other dashboards
Change settings for
individual users
3
Change global setting
for organization
Invite new members
to organization

Yes

No

1

You can choose to block Members from viewing their recordings, event data, and personal dashboards.

2

You can choose to limit on Admin, Manager, or Viewer’s access so that they can only see the recordings of users with certain tags and/or users that report to them and their reports

3

Managers CANNOT change the role of another user to or from Admin

Please contact our security team to inquire for further details or questions.

contact fin security