Our role
Fimi Data operates primarily as a data processor (under the GDPR) and service provider (under CCPA/CPRA). We process customer data only on your documented instructions and do not determine the purposes or means of processing personal data within customer workflows.
Customers remain in control of:
- What data is processed
- What workflows and actions are taken
- What evidence is required and retained
Core security principles
Least-privilege access
Access to systems and data is restricted by role and business need. Production access is limited to a small set of personnel and is logged.
Encryption everywhere
Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256. Cryptographic keys are managed in Azure Key Vault.
Secure infrastructure
Hosted in Microsoft Azure (West US 2). Network isolation, managed identities, and platform-level controls reduce exposure.
Monitoring & logging
Continuous platform monitoring with Application Insights. Audit logs support traceability and accountability for sensitive actions.
Data integrity
Tamper-evident records of offboarding workflows. Timestamped audit trails support evidence of completion and certification.
Secure development
Source control, dependency monitoring, and review of changes to production code. Secrets are never committed to source.
Encryption & key management
| In transit | All connections to the Services are protected with TLS 1.2 or higher. We disable known-weak cipher suites. |
|---|---|
| At rest | Customer data and backups are encrypted with AES-256 using Azure-managed keys. |
| Secrets & credentials | Stored in Azure Key Vault with access scoped via managed identities. Application code does not access credentials directly. |
| Email & outbound integrations | Outbound transactional email is sent over TLS via Microsoft Graph using certificate-based authentication. |
Access controls & authentication
The Fimi Data platform is built to support modern enterprise authentication requirements:
- Multi-factor authentication (MFA) available for all customer accounts
- Single Sign-On (SSO) via SAML 2.0 and OIDC available on Enterprise tiers
- Role-based access control within customer organizations
- Session management with reasonable timeouts and revocable credentials
Internally, Fimi Data personnel use MFA for all systems with access to customer data, and access is reviewed periodically.
Data handling practices
- We process customer data only under your documented instructions.
- We do not sell personal data.
- We do not share personal information for cross-context behavioral advertising as defined under CCPA/CPRA.
- We do not use customer data to train, fine-tune, or develop machine-learning models.
- We do not use customer data for advertising or profiling.
Data residency
Customer data is stored and processed in the United States, in Microsoft Azure’s West US 2 region. Customers with regional residency requirements may contact us to discuss available options.
Data retention & deletion
- Retention of customer-controlled records is configured by you.
- Upon contract termination, customer data is exportable for thirty (30) days, then deleted or anonymized in accordance with our Privacy Policy and applicable Data Processing Addendum.
- Backups are retained for a limited period and then securely destroyed.
- Audit records of data-handling actions are retained for compliance and defensibility purposes; retention periods are documented in the Privacy Policy.
Compliance alignment
The Fimi Data platform is designed to support customer obligations under, and operates in alignment with:
- EU GDPR
- UK GDPR
- Data Protection Act 2018
- CCPA / CPRA
- U.S. Breach-Notification Laws
- CAN-SPAM Act
- SOC 2 Control Principles
Subprocessors
Fimi Data uses a limited set of trusted service providers to operate the platform. All subprocessors are subject to written contractual obligations covering security, confidentiality, and data protection. The current list of subprocessors is published and maintained at:
Incident response
Fimi Data maintains documented processes to detect, respond to, and recover from security incidents. In the event of a security incident affecting customer data, we will:
- Investigate and remediate the incident promptly
- Notify affected customers without undue delay and, where required by applicable law or contract, within 72 hours of becoming aware of a personal-data breach
- Provide reasonable cooperation to support customers’ own notification obligations
- Conduct post-incident review and apply lessons learned to reduce future risk
Vulnerability disclosure
We welcome reports from security researchers who help us keep customer data safe. If you believe you’ve discovered a vulnerability in our Services, please email security@fimidata.com with:
- A description of the vulnerability and potential impact
- Steps to reproduce, including any proof-of-concept
- Your contact information for follow-up
We ask that researchers act in good faith, avoid privacy violations and service disruption, and give us reasonable time to investigate and remediate before public disclosure. We do not currently operate a paid bug bounty program but appreciate responsible disclosure.
Business continuity
Customer data is backed up regularly. We design the platform to support recovery from common failure scenarios within reasonable timeframes appropriate to its stage of development. As we mature toward enterprise deployment, formal Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets will be published in our security posture documentation.
Have a security question?
Customer security teams, researchers, and prospective enterprise buyers can reach our security contact directly.
This page describes our security and data protection program as of May 1, 2026. For information about how we collect and process personal data, see our Privacy Policy. For information about how we contract with you, see our Terms of Service.