SECTION ISecurity Overview
FinHelm Corp builds Probabilistic Finance™ products on a zero data custody architecture: raw financial data from connected ERP systems is processed in transient memory and is never persisted to FinHelm’s servers. Only computed analysis outputs and minimal audit metadata are retained. This architecture materially reduces the data-exposure surface relative to traditional FP&A platforms that ingest and store full ledger copies.
FIG. I.a · The custody doctrine is structural, not procedural. Data we never have, we cannot lose.
SECTION IIArchitecture
- Cloud: Amazon Web Services, U.S. East (Northern Virginia) region (
us-east-1) only for v1.1. - Compute: Vercel Edge runtime serving the MCP layer; AWS Lambda (serverless; no persistent application servers) for analysis engine compute at
api.finhelm.ai. - Data store: Amazon DynamoDB for analysis outputs, authentication state, and OAuth tokens. Encrypted at rest using AWS Key Management Service customer-managed keys.
- Networking: Amazon API Gateway (HTTPS only); TLS 1.2 minimum.
- Frontend: Vercel (Next.js).
- Integration: FinHelm connects to ERP providers via the Model Context Protocol over authenticated HTTPS.
SECTION IIIAuthentication
- Identity: AWS Cognito user pool, with PKCE-enforced OAuth 2.0 authorization code flow.
- Multi-factor authentication: Available; configurable per account.
- Bearer tokens: Short-lived; refreshed via standard OAuth refresh-token flow; revoked immediately on disconnection or account closure.
- ERP authentication: OAuth 2.0 authorization code flow against the ERP provider. FinHelm never sees or stores ERP passwords.
SECTION IVData Encryption
- In transit: TLS 1.2 or higher on all customer-facing endpoints.
- At rest: AES-256 via AWS KMS customer-managed keys. Token table is encrypted with a dedicated CMK with annual rotation enabled.
- Browser exposure: OAuth tokens and ERP credentials are never transmitted to the browser. They are stored server-side and used only by FinHelm’s backend.
SECTION VAccess Control
- Principle of least privilege: All IAM roles are scoped to the minimum permissions required for the function they perform.
- Token-table access: Restricted to a single dedicated IAM principal scoped via a least-privilege policy.
- Audit logging: Authentication events, ERP connection events, MCP tool invocations (tool name, account identifier, timestamp, status code), and administrative actions are logged. Tool-call parameters and response bodies are not logged.
- Production access: Restricted to authorized FinHelm engineering personnel with named accounts and audited access.
SECTION VICompliance Posture
- SOC 2 Type I: In progress.
- SOC 2 Type II: Planned to follow Type I.
- HIPAA: Not applicable. FinHelm does not process protected health information.
- PCI DSS scope: Zero. All payment processing is handled entirely by Stripe; FinHelm does not receive, store, or transmit primary account numbers.
- GDPR / CCPA: Customer rights (access, correction, deletion, export) are honored as described in the FinHelm Privacy Policy.
FIG. VI.a · FinHelm makes no representations regarding compliance certifications it has not earned. Aspirational items above are explicitly marked.
SECTION VIISub-Processors
| Sub-processor | Purpose | Data |
|---|---|---|
| Amazon Web Services | Infrastructure, identity, key management | Encrypted application data and tokens |
| Anthropic, PBC | (a) Claude.ai as MCP client; (b) Claude models accessed server-side via AWS Bedrock | Tool calls and summarized financial context |
| Intuit Inc. | QuickBooks Online ERP integration | OAuth tokens and customer-authorized financial data |
| DualEntry | ERP integration | OAuth tokens and customer-authorized financial data |
| Rillet | ERP integration | OAuth tokens and customer-authorized financial data |
| Stripe | Payment processing | Payment instrument data (handled entirely by Stripe) |
| PostHog | Product analytics | Anonymized usage events |
| Vercel | Frontend hosting | Standard web logs |
FIG. VII.a · The canonical sub-processor list is maintained at finhelm.ai/privacy/.
SECTION VIIIData Residency
- v1.1: All customer data, tokens, and analysis outputs are stored in AWS
us-east-1(Northern Virginia, USA). - v1.2 and later: International data residency options (EU, UK, APAC) are planned and will be announced before any non-U.S. region is offered.
SECTION IXBreach Notification
In the event of a confirmed security incident affecting customer data, FinHelm will notify affected customers without undue delay and in any case within seventy-two (72) hours of confirmation, consistent with prevailing standards under GDPR and U.S. state breach-notification laws. Notification will identify, to the extent then known, the nature of the incident, the data affected, mitigation steps taken, and a point of contact.
SECTION XCustomer Rights
- Data export: Analysis history is exportable in standard formats from your account.
- Account deletion: Self-service account closure is available. Deletion timelines are described in the Privacy Policy (Section 6).
- ERP disconnection: One-click revocation. Tokens are deleted immediately upon disconnection.
- Data subject requests (GDPR/CCPA): privacy@finhelm.ai.
SECTION XIContact
- Security inquiries and disclosures: privacy@finhelm.ai
- Privacy inquiries: privacy@finhelm.ai
- General support: support@finhelm.ai
FinHelm Corp · finhelm.ai
Probabilistic Finance™ · Always On Course.