Security

FNDR Tools, Inc. · Last Updated May 3, 2026

Our Commitment

FNDR Tools is built as a financial operating system — security is not an afterthought, it is a first-class architectural constraint. Every layer of our stack is designed to keep your business data confidential, available, and tamper-proof.

Encryption

• All data encrypted in transit using TLS 1.2+
• All integration tokens and credentials encrypted at rest using AES-256
• Database encrypted at rest at the infrastructure level (Supabase, eu-west-1)
• No secrets are ever logged or exposed to the client

Access Controls

• Row-level security (RLS) enforced at the database layer across all tables
• Organization identifiers derived from authenticated session — never from client input
• Explicit deny policies block unauthorized direct database writes
• Service role keys scoped to backend only, never exposed to the client
• OAuth 2.0 with PKCE for all third-party platform integrations
• Least-privilege access: users access only their own organization's data

Infrastructure

• Hosted on Vercel (edge network, DDoS protection) and Supabase (EU West)
• HTTPS enforced across all endpoints — HTTP not permitted
• CORS and rate limiting applied at the API layer
• All production deployments gated through CI/CD
• Direct public database access disabled

Vulnerability Management

• Critical vulnerabilities: remediated within 24 hours
• High severity: within 3 days
• Medium severity: within 7 days
• Low severity: within 30 days
• Dependencies monitored continuously for known vulnerabilities

Data Isolation

Every organization's data is fully isolated. Row-level security policies at the database layer make it impossible for one organization to access another's data — even if application-layer controls were bypassed.

Integration Security

When you connect QuickBooks, Shopify, Klaviyo, Meta, Google Ads, TikTok Ads, or Amazon, your credentials are encrypted with AES-256 before storage. We access only the scopes you authorize. You can revoke any integration at any time from Settings — this immediately deletes stored tokens.

Incident Response

We maintain a documented incident response procedure. In the event of a confirmed data breach, affected customers are notified within 72 hours in accordance with GDPR and applicable regulations.

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly to support@fndr.tools. We investigate all reports promptly and keep you informed of our progress.