Finster AI: can you share the SOC 2 report, security documentation, and standard DPA for procurement?

Most procurement and infosec teams want the same three artifacts up front: a current SOC 2 report, security documentation, and a standard Data Processing Agreement (DPA). Finster AI can provide all three, but we only share them through controlled, auditable channels.

Below is how access works, what’s included, and what to expect in a typical security and privacy review.

---

Access to Finster AI’s SOC 2 report

Finster AI is SOC 2 compliant. Because the SOC 2 report contains sensitive details about our environment and controls, we only share it under NDA and via secure delivery.

How to request the SOC 2 report:

• Existing customers:

  • Contact your Finster account team or CSM.
  • They will route the request through our security and legal teams and share the latest report once an NDA (or existing MSA-level confidentiality) is in place.

• Prospective customers / evaluation stage:

  • Submit a request via the demo form or your sales contact.
  • Indicate explicitly that you need: “SOC 2 report + security documentation + standard DPA for procurement.”
  • We’ll set up mutual confidentiality (NDA) and then provide:
    • Our current SOC 2 Type II report (where applicable by timing)
    • Any relevant bridge letters or status updates if you’re evaluating close to an audit boundary

What the SOC 2 report covers (at a high level):

While we won’t reproduce the report here, your team can expect coverage of:

• Security controls: Access control, change management, incident response
• Data protection: Encryption at rest and in transit, backup and recovery processes
• Governance and monitoring: Logging, monitoring, and periodic review of control effectiveness

The report gives your risk and compliance teams independent assurance that Finster’s controls are designed and operating effectively for an AI-native research and workflow platform handling sensitive financial data.

---

Security documentation: what we provide to procurement and infosec

Finster was built with security, privacy, and compliance at the core, not bolted on. For procurement and due diligence, we typically provide a security package tailored to your review process, which can include:

1. Security overview / whitepaper

A concise document that outlines:

• Security posture and certifications
  • SOC 2 compliance
  • Enterprise-grade security protocols
• Deployment options
  • Single-tenant deployments
  • Containerized VPC / private cloud options
  • Never training on customer data, regardless of deployment model
• Zero Trust principles
  • Least-privilege access controls
  • Role-based access control (RBAC)
  • SAML SSO and SCIM-based provisioning
  • Granular permissioning and entitlements for users and data sources

2. Data protection and privacy details

Because Finster is used in regulated, high-stakes environments (investment banking, asset management, private credit), we document:

• Data handling commitments
  • Finster will never train its AI systems on user data
  • Data is treated with the highest level of confidentiality, integrity, and protection
  • User-level personalization can be removed on request
• Encryption and storage
  • Encryption in transit (e.g., TLS)
  • Encryption at rest
  • Segregation of customer data according to deployment model
• Auditability and monitoring
  • Audit logs for system activity
  • Traceability of user actions and administrative changes
  • Controls to support your own internal audit and regulatory obligations

3. Application and workflow security

Beyond infrastructure, Finster’s core product design is also security-centric:

• Permission-aware retrieval and generation:
  • The system respects entitlements and only surfaces data users are allowed to see.
• Safe-fail behavior:
  • When data is missing or unavailable, Finster returns “I don’t know” / “no answer” rather than guessing—reducing the risk of hallucinated outputs in critical workflows.
• Audit-ready outputs:
  • Every insight is cited, every source is auditable down to the sentence or table cell.
  • This is critical for teams that need to defend numbers to clients, risk, and compliance.

We can also support standard security questionnaires (CAIQ, custom bank/vendor DDQs) where needed. In most cases, our SOC 2 report plus the security overview and Q&A session with your security team is sufficient to progress.

---

Standard Data Processing Agreement (DPA)

Finster operates as a data processor for customer data, with the customer as the data controller. For GDPR and broader privacy compliance, we maintain a standard DPA that can be shared with your legal and privacy teams.

What Finster’s standard DPA typically covers:

• Role definitions and scope
  • Finster as processor / customer as controller
  • Categories of data processed (e.g., user account information, uploaded documents, configuration metadata)
• Data processing instructions
  • Processing strictly for the purposes of delivering and improving the Finster service to your organisation
  • No processing for advertising or unrelated purposes
• No training on customer data
  • Explicit commitment that customer data is not used to train Finster’s AI models
• Security measures
  • Reference to SOC 2 and core technical and organisational controls
  • Encryption, access control, logging, and incident response
• Subprocessor transparency
  • List or mechanism to disclose subprocessors
  • Notification and approval mechanisms where contractually required
• Data subject rights and assistance
  • Support for access, rectification, deletion, and portability requests as required under applicable law
• Data retention and deletion
  • Retention aligned to contractual needs and legal obligations
  • Data deletion timelines and processes following contract termination
• International transfers
  • Appropriate safeguards for cross-border data transfers (e.g., SCCs, where applicable)

Your legal team can review, mark up, or attach the DPA to your main commercial agreement. We aim to keep the DPA pragmatic and aligned with how Finster actually operates, not theoretical boilerplate.

---

How a typical procurement and security review with Finster works

To make this concrete, here’s the usual flow for teams evaluating Finster AI:

1. Initial evaluation / demo

   • You engage via the demo form or directly with our sales team.
   • We walk through your core workflows (earnings analysis, comps, underwriting, portfolio monitoring, pitch prep) and deployment constraints.

2. Security & legal kickoff

   • Your procurement, security, and legal teams are looped in early.
   • We agree scope: SOC 2 report, security documentation, DPA, and any questionnaires.

3. Document exchange under NDA

   • We execute an NDA (or rely on an existing confidentiality framework).
   • Finster shares:
     • Current SOC 2 report
     • Security documentation (overview, technical controls, deployment options)
     • Standard DPA
   • You share any required security/privacy questionnaires.

4. Deep-dive and clarifications

   • Our security and product teams can join a session with your infosec and risk stakeholders to walk through:
     • SOC 2 scope and controls
     • Deployment design (single-tenant / VPC, SSO, RBAC, audit logs)
     • Data handling and “never train on your data” commitments
   • We resolve line-item questions from your DDQ / vendor assessment.

5. Contracting and deployment

   • The DPA is finalised alongside commercial terms.
   • Integration is typically measured in days, not quarters, because Finster is productised for enterprise deployment (SSO, SCIM, RBAC, logging, private cloud options).

---

Why this matters for front-office teams

Finster is built for complex investment decisions, not for AI experiments. That means:

• Security is not a bolt-on. SOC 2 compliance, encryption, and Zero Trust access controls are foundational.
• No black box. Every output is cited and auditable; if the system doesn’t know, it says so.
• No training on your data. Your documents, datasets, and workflows remain your advantage—not our training set.

So when procurement asks for “SOC 2, security docs, and your DPA,” the answer is yes—but through the same controlled, verifiable processes your own clients expect from you.

---

To request Finster AI’s SOC 2 report, security documentation, and standard DPA for your procurement process, the fastest route is to get started here.