Security Policy

Finsight Alpha · Last updated: 15 March 2026

We take security seriously. This document summarises key measures we apply to protect Finsight Alpha. It is not an exhaustive list and does not modify our Terms of Service or Privacy Policy.

1. Infrastructure and transport

• HTTPS (TLS) for data in transit between your browser and our services.
• Hosting on reputable cloud or managed infrastructure with access controls.

2. Authentication and sessions

• Passwords stored using strong one-way hashing (e.g. bcrypt or equivalent).
• Session cookies are httpOnly and secure in production where applicable, with SameSite restrictions to reduce CSRF risk.
• Optional OAuth (e.g. Google) uses industry-standard protocols; we do not receive your third-party password.

3. Application security

• Authorisation checks on sensitive API routes (e.g. report generation, saved reports).
• Input validation and safe handling of user-supplied data where it affects server behaviour.
• Dependency updates and monitoring as part of normal development operations.

4. Data storage

• Application data held in managed databases with access limited to operational needs.
• Payment card data is not stored on our servers when we use a compliant payment processor.

5. AI and third-party APIs

Report generation may send relevant inputs to AI and data providers under contractual terms. We minimise what is sent to what is needed for the feature. Review provider documentation for their security posture.

6. Incident response

If we become aware of a breach that affects personal data, we will assess impact and notify users and regulators where required by law.

7. Responsible disclosure

If you believe you have found a security vulnerability, please email steve@libertypoint.io with details. Do not perform testing that harms users, data, or availability. We appreciate coordinated disclosure.

8. Your responsibilities

Use a strong unique password, enable MFA if we offer it, sign out on shared devices, and keep your email account secure.