Fynli
Enterprise-grade security

Your financial data is safe with us

We take security seriously. Fynli is built with multiple layers of protection to ensure your sensitive financial information remains private, secure, and under your control.

Start Free TrialView Pricing

Security features that protect you

Every aspect of Fynli is designed with security in mind, from authentication to data storage.

🔐

Two-Factor Authentication (2FA)

Secure your account with industry-standard TOTP-based two-factor authentication

  • Support for authenticator apps like Google Authenticator, 1Password, and Authy
  • Secure backup codes for account recovery
  • Trusted device management for convenience
  • 30-day device trust with optional revocation
  • Time-based one-time passwords (TOTP) with cryptographic verification
🔒

End-to-End Encryption

Your sensitive financial data is protected with military-grade AES-256-GCM encryption

  • AES-256-GCM encryption for all sensitive data at rest
  • Encrypted trial balances and financial records
  • Encrypted invoice date overrides and adjustments
  • Encrypted alert settings and thresholds
  • Secure key management with environment isolation
  • Authentication tags prevent tampering
🛡️

Secure Password Management

Industry best practices protect your account credentials

  • Passwords are hashed using secure algorithms (never stored in plain text)
  • Strong password requirements enforced
  • Secure password reset flow with time-limited tokens
  • Password change requires current password verification
  • All password operations are logged for audit purposes
🔑

OAuth 2.0 Integration

Connect to Xero securely without ever sharing your password

  • OAuth 2.0 standard for Xero authentication
  • We never see or store your Xero password
  • Secure token storage with automatic refresh
  • Granular permission scopes for minimal access
  • Revoke access anytime from your settings
  • Encrypted token storage
📝

Comprehensive Audit Logging

Complete visibility into account activity and data access

  • All authentication events are logged (login, logout, password changes)
  • Profile updates and email verification tracking
  • Password reset requests and completions
  • Failed login attempt monitoring
  • IP address and user agent tracking
  • Timestamp tracking for all security events
⏱️

Session Management

Smart session handling keeps your account secure

  • Secure session tokens with cryptographic randomness
  • Automatic session expiration
  • Session cleanup on logout
  • Database-backed session storage
  • Protection against session hijacking
🔐

Data Privacy & Isolation

Your data is isolated and protected from unauthorized access

  • Multi-tenant architecture with strict data isolation
  • All queries are tenant-scoped
  • User-level data access controls
  • Automatic cascade deletion when you remove your account
  • No cross-tenant data leakage
  • PostgreSQL with row-level security
☁️

Infrastructure Security

Built on secure, modern infrastructure

  • HTTPS/TLS encryption for all data in transit
  • Environment variable based secrets management
  • Secure database connections
  • Regular security updates and patches
  • Protected API endpoints with authentication middleware

Security & Compliance

We follow industry best practices to keep your data safe and secure.

Data Encryption

All sensitive financial data is encrypted at rest using AES-256-GCM encryption.

Secure Connections

All connections use HTTPS/TLS encryption to protect data in transit.

Access Controls

Role-based access controls and multi-tenant isolation protect your data.

Audit Trails

Comprehensive logging of all authentication and data access events.

You're in control

Your data belongs to you. We give you complete control over your information.

🔓

Disconnect Anytime

Revoke Fynli's access to your Xero account instantly from your settings. Your Xero data remains untouched.

📤

Export Your Data

Export your forecasts, scenarios, and insights at any time. Your data is portable and accessible.

🗑️

Delete Your Account

Request account deletion from your settings. All your data will be permanently removed from our systems.

Technical security details

For the technically inclined, here's how we protect your data at every layer.

Encryption Standards

  • AES-256-GCM for data at rest (96-bit nonce, 16-byte auth tag)
  • TLS 1.2+ for all connections in transit
  • HMAC-SHA256 for token verification
  • Cryptographically secure random number generation

Authentication

  • TOTP (RFC 6238) with 30-second window tolerance
  • SHA-256 hashed backup codes with timing-safe comparison
  • Secure password hashing (not stored in plaintext)
  • OAuth 2.0 for third-party integrations

Database Security

  • PostgreSQL with connection pooling and secure configuration
  • Multi-tenant isolation with strict query scoping
  • Cascade deletion for data cleanup
  • Indexed queries for performance and security

Application Security

  • Server-side session management
  • CSRF protection on state-changing operations
  • Rate limiting on sensitive endpoints
  • Input validation and sanitization

Questions about security?

We're happy to discuss our security practices in detail. If you have specific questions or compliance requirements, get in touch.

Contact usStart Free Trial