Security
How we protect your financial data — from your phone to our servers.
Financial data is among the most sensitive personal information you can share. We treat it that way. This page explains the technical and organisational measures Finpersona takes to keep your data secure.
Core security measures
Encryption in Transit
All communication between the Finpersona app, your browser, and our servers is encrypted using TLS 1.3 — the same standard used by major banks. Older TLS versions are not accepted.
Encryption at Rest
Sensitive financial data — including bank connections, transaction records, and tax information — is encrypted using AES-256 at rest. Data keys are managed through a dedicated key management service.
Malaysia Data Residency
Your data is stored and processed on infrastructure located in Malaysia and Singapore. We do not transfer personal financial data outside the ASEAN region without your explicit consent.
Access Controls
Strict role-based access controls (RBAC) govern who within our team can access user data. Access to production systems is logged, monitored, and reviewed. Engineers access production data only for support purposes with audit trails.
PDPA Compliance
Finpersona is designed to comply with Malaysia's Personal Data Protection Act 2010 (PDPA). We collect only the data necessary to provide the Service, obtain consent before processing, and honour your rights to access, correct, and delete your data.
Password Security
Passwords are never stored in plain text. We use bcrypt with a strong work factor to hash passwords. We strongly recommend enabling two-factor authentication (2FA) in your account settings for additional protection.
Operational practices
Security is a continuous process, not a checkbox. Here is how we operate day-to-day.
Regular Security Audits
We conduct internal security reviews quarterly and engage external penetration testing firms annually. Findings are prioritized and remediated with defined SLAs.
Vulnerability Management
Dependencies are monitored continuously for known vulnerabilities using automated scanning. Critical patches are applied within 24 hours of public disclosure.
Incident Response
We maintain a documented incident response plan. In the event of a data breach, affected users will be notified within 72 hours in accordance with PDPA requirements.
No Sharing with Advertisers
Your financial data is never sold, rented, or shared with advertising networks or data brokers. Full stop. See our Privacy Policy for details.
Secure Development
Our engineers follow secure development practices including threat modelling, code review with security checklists, and mandatory security training. We follow OWASP Top 10 guidelines.
Bank Account Security
If you connect a bank account, we use read-only API access through certified open banking partners. We never store your banking credentials. You can revoke access at any time from within the app.
Your role in keeping your account secure
Security is a shared responsibility. We strongly recommend: using a strong, unique password for your Finpersona account; enabling two-factor authentication (Settings → Security); never sharing your login credentials with anyone; and logging out of devices you no longer use. If you suspect unauthorized access to your account, contact us immediately at security@finpersona.com.
Responsible Disclosure
If you discover a security vulnerability in Finpersona, we ask that you disclose it to us responsibly before making any public disclosure. We commit to acknowledging your report within 24 hours, investigating and resolving valid vulnerabilities within 30 days, and providing credit if you wish to be acknowledged.
security@finpersona.com