Finster AI: can you share the SOC 2 report, security documentation, and standard DPA for procurement?
Investment Research AI

Finster AI: can you share the SOC 2 report, security documentation, and standard DPA for procurement?

8 min read

Security, privacy, and procurement due diligence are non‑negotiable when you’re putting an AI system anywhere near front‑office workflows. For Finster AI, that starts with SOC 2, clear security documentation, and a standard data processing agreement (DPA) that legal and procurement teams can review without a multi‑month archeological dig.

This page explains how Finster handles SOC 2, what security documentation is available, and how to access our standard DPA as part of your procurement process.

Short answer: yes, we can share SOC 2, security docs, and a standard DPA

Finster operates with enterprise‑grade security and is SOC 2 compliant. We maintain a full security and privacy documentation pack that can be shared under NDA, along with a standard DPA designed for regulated institutions.

In practice, that typically means:

  • A current SOC 2 report (under NDA)
  • Security overview documentation (controls, architecture, deployment options)
  • Data protection and privacy documentation (including our “no training on your data” commitment)
  • A standard DPA and/or data protection addendum aligned to your contracting framework

Because this material is sensitive, we don’t post the full pack publicly. Instead, we share it directly with qualified prospects, usually once an evaluation or proof‑of‑concept is in motion.

What’s in Finster’s SOC 2 and security documentation?

Finster is built for institutions with zero tolerance for security ambiguity, so our documentation is structured to answer the questions risk and security teams actually ask.

1. SOC 2 compliance

Finster is SOC 2 compliant. Under NDA, we can provide:

  • SOC 2 report
    Independent assurance over the design and operating effectiveness of our controls related to:

    • Security
    • Availability
    • Confidentiality (and other Trust Services Criteria, as applicable)

  • Scope and boundaries
    Clear definition of what’s in scope (Finster’s platform, supporting infrastructure, and relevant processes) and how that maps to the way you plan to deploy Finster (multi‑tenant, single‑tenant, or VPC/containerized).

This gives your risk and compliance teams third‑party validation that our controls meet industry standards, not just marketing claims.

2. Security posture and architecture

Our security documentation expands on what you’ll see on the public Security page, with more implementation detail. It typically covers:

  • Zero Trust, least‑privilege access
    How identity, access management, and internal permissions are implemented so users and services only see what they are entitled to.

  • Encryption practices

    • Encryption at rest for all customer data
    • Encryption in transit (TLS) across all external and internal endpoints

  • Access controls and IAM

    • Role‑based access control (RBAC)
    • SAML SSO support
    • SCIM for automated user provisioning and de‑provisioning
    • Administrative roles and approval flows

  • Audit logging
    What is logged, how long it’s retained, and how logs can be surfaced to you to support internal audit and compliance.

  • Network and deployment options

    • Standard multi‑tenant deployment with strict logical isolation
    • Single‑tenant deployments
    • Private, containerized VPC deployments for institutions that require maximal isolation or “bring your own LLM” setups

This is where your security architecture team can map Finster directly to your current controls framework.

3. Data handling, privacy, and “no training on your data”

Finster’s data handling documentation is designed for teams who operate under MNPI constraints and strict client confidentiality.

Key points you’ll see documented:

  • No training on your data
    Finster will never train its AI systems on user data. Your proprietary information is not fed back into shared models.

  • Data ownership and control

    • You retain ownership of your data
    • You control which systems we connect to (e.g., internal document repositories, data rooms, SharePoint)
    • You can request deletion of user‑level personalization and configuration data

  • Use of third‑party providers
    How we integrate with and respect entitlements for:

    • Primary sources (e.g., SEC filings, IR sites)
    • Licensed providers (FactSet, Morningstar, PitchBook, Crunchbase, etc.)
    • Partners like Third Bridge, Preqin, and MT Newswires
      And how entitlements and terms of use are enforced.

  • Data segregation
    Technical and logical separation between tenants, and between your data and other customers’ data.

  • Compliance and audit trails
    How Finster’s audit logs and citations support your obligations to regulators, clients, and internal oversight.

What is Finster’s standard DPA and when do you get it?

The standard DPA (Data Processing Agreement) is Finster’s baseline contract for how we process, protect, and handle personal and confidential data on your behalf.

While exact language can vary by jurisdiction and contract structure, you can expect it to cover:

  • Roles and responsibilities
    Clear definition of Finster as processor and you as controller (or equivalent roles in your framework).

  • Processing instructions
    What data we process, for what purpose, and under what legal basis (e.g., performance of contract).

  • Security measures
    Reference to our technical and organizational measures—aligned to SOC 2 and documented security controls.

  • Sub‑processor transparency
    A list or class‑based disclosure of sub‑processors, with notice and objection mechanisms aligned to your procurement standards.

  • Data subject rights support
    How we assist you in meeting obligations around access, correction, and deletion requests where applicable.

  • International transfers
    Clauses for cross‑border transfers where relevant (e.g., Standard Contractual Clauses), aligned to your legal team’s requirements.

  • Retention and deletion
    How long we retain different categories of data, and how data is deleted or anonymized at contract end.

Typically, we share the DPA:

  • Once there is a clear evaluation or pilot scope
  • Concurrently with or shortly after the SOC 2 and security pack
  • As an addendum to your main commercial agreement, or in your paper if you prefer to use your own DPA template

Your legal and procurement teams can then redline as needed; we’re used to working with large institutions’ standard templates.

How to request Finster’s SOC 2 report, security documentation, and DPA

Because the SOC 2 report and detailed security documentation are confidential, they’re shared directly rather than published.

To request access:

  1. Start with a demo or discovery call

    • Visit the Finster demo page
    • Provide your work email, firm name, and a brief note that you’d like SOC 2/security documentation and the standard DPA for procurement

  2. NDA or existing confidentiality framework

    • If you already have a mutual NDA with us, we’ll use that
    • If not, we can execute our standard NDA or review yours, so your risk and procurement teams are comfortable receiving the SOC 2 report

  3. Security and procurement review pack
    Once an NDA is in place, we’ll share:

    • The current SOC 2 report
    • Security architecture and controls documentation
    • Data protection and privacy overview
    • Standard DPA / data protection addendum (or mapping to your template)

  4. Follow‑up with your stakeholders
    We’re happy to walk through the materials with:

    • Information security and IT
    • Risk, legal, and compliance
    • Procurement and vendor‑management teams

    The aim is to shorten the review cycle by answering detailed questions in one go.

How Finster’s security posture maps to typical procurement questions

If you’re reading this ahead of a formal RFI/RFP, here’s how Finster usually answers the core procurement themes.

Is Finster SOC 2 compliant?

Yes. Finster is SOC 2 compliant. The current SOC 2 report is available under NDA for your security and risk teams to review.

How is customer data protected?

  • Enterprise‑grade security protocols
  • Encryption at rest and in transit
  • Zero Trust and least‑privilege access
  • RBAC, SAML SSO, and SCIM provisioning
  • Audit logging for user and system activity

Can Finster be deployed in a private environment?

Yes. In addition to our standard deployment, we support:

  • Single‑tenant deployments
  • Containerized VPC deployments

These options are typically used by larger institutions with strict network segmentation and data residency requirements, or those pursuing “bring your own LLM” architectures.

Does Finster train on customer data?

No. Finster will never train its AI systems on user data. Your proprietary data, prompts, and outputs are not used to improve shared models.

Can outputs be audited and verified?

Yes. This is central to how Finster is built:

  • Every insight is cited down to the sentence or table‑cell level
  • Every source is auditable via clickable references back to filings, transcripts, IR materials, or licensed datasets
  • When data is missing or ambiguous, the system returns “I don’t know” or “no answer”, rather than guessing

This “no black box” behavior is part of the reason risk and compliance teams are comfortable with Finster in high‑stakes workflows.

What if our bank or asset manager has additional security requirements?

Many large banks, asset managers, and private credit shops have internal standards that go beyond a typical SaaS checklist. Finster is designed to flex to those needs.

Common examples we support:

  • Custom data retention policies
    Tailored retention and deletion schedules where your policies are stricter than our defaults.

  • Enhanced logging or integration with your SIEM
    To centralize monitoring and incident response.

  • Vendor risk questionnaires (RFI/RFP)
    Detailed responses mapped to your internal control framework.

  • Penetration test reports / independent assessments
    Shared under NDA where required.

If you have a specific requirement, raise it during the initial security review. The key test for us is whether the system can remain scalable without turning into a custom consulting project; our architecture is built to clear that bar.

Where to go from here

If you’ve landed on this page because your procurement, security, or legal team is asking:

  • “Can Finster AI share its SOC 2 report?”
  • “Can we see detailed security documentation and data protection measures?”
  • “Can we review a standard DPA or data processing addendum?”

the next step is straightforward.

Get Started and note that you’re requesting the SOC 2 report, security documentation, and standard DPA for procurement. We’ll route you to the right people on our side and make sure your stakeholders get the depth they need—without black boxes, vague assurances, or endless back‑and‑forth.

Back to Investment Research AI

Keep Reading

More from Investment Research AI

Finster AI pilot: what’s the standard pilot plan/SOW, success criteria, and what access do you need (SSO, data sources, templates)?

Read more

Finster AI onboarding timeline: how long from demo to pilot to production for a front-office team?

Read more

How do we set up Finster AI Screener for our coverage universe and save screens/watchlists for the desk?

Read more