Security Overview

FinlyLife uses a defense-in-depth security posture designed for web-based financial planning workflows. No system is guaranteed to be perfectly secure, but FinlyLife applies administrative, technical, and organizational controls intended to reduce risk and protect customer data.

Authentication and Session Security

• Session controls for web access and token-based authentication for API access.
• Short-lived access credentials with refresh token rotation and revocation safeguards.
• Protection mechanisms for common web threats, including CSRF controls on form workflows.

Data Protection Controls

• Encryption in transit for data exchanged with the Services over HTTPS.
• Logical access controls and authorization boundaries for household-level data access.
• Audit-oriented application logging for security and operational investigation.

AI and Data Minimization

• AI functionality is gated and opt-in for applicable flows.
• Prompt processing applies data minimization and redaction-oriented safeguards.
• User-facing "Data used" transparency is provided for planner responses where supported.

Incident Response

FinlyLife maintains internal incident handling procedures to triage, contain, and remediate potential security events. Notification timing and scope, where required, are handled in accordance with applicable law.