Your policy data stays yours.
Fynrex stores your policy register names and action log — not your policy documents and not the regulatory text we ingest (that is public). Banks and fintechs run security reviews before purchasing any SaaS that touches their compliance program. This page answers those questions directly.
What we store and where.
Infrastructure
Role-based access. Full audit trail.
SSO and Identity
SAML 2.0 support. Native integration with Okta and Azure AD. MFA enforced for all accounts. Session tokens expire on idle. No shared logins permitted.
Single sign-on is available on Growth and Enterprise plans. Starter plans use Fynrex-managed credentials with MFA enforced.
Role Types
Four roles with scoped permissions:
Audit Log
Complete audit log of every action, configuration change, and action item update — with responsible user, timestamp, and before/after change delta. Exportable as PDF or CSV for examination preparation. Retention minimum: 7 years. Retention is configurable beyond the minimum for firms with longer examination lookback requirements.
Controls aligned to NIST CSF.
We operate to a NIST Cybersecurity Framework structure. We do not claim certifications we have not earned — no SOC 2 badge on a landing page, no ISO 27001 logo without the certificate to back it. What follows is an honest account of our current controls and where we are in our security maturity roadmap.
Asset inventory maintained. Information security risk register reviewed quarterly. Data flows documented and classified by sensitivity.
AES-256 at rest, TLS 1.3 in transit. MFA enforced. Role-based access control. Secure software development lifecycle with code review and dependency scanning.
Comprehensive logging to SIEM. Anomaly monitoring on authentication events and data exports. Automated alerting on threshold breaches.
Written incident response plan. Defined RTO. Annual penetration test by external firm. Test summary available under NDA for Enterprise prospects.
Questions about our security posture?
We complete security questionnaires and schedule technical reviews with your IT security team. For Enterprise prospects, we share the most recent external penetration test summary under NDA. We do not expect financial institutions to take our word for it.