Security
Last updated 22 May 2026
Security Overview
Finalizo handles project closeout records, client contact details, sign-off evidence, and credentials that freelancers choose to store. Security controls are designed around least privilege, encryption, auditability, and reducing exposure of sensitive data.
Data Protection
Credential secrets are encrypted before storage using AES-256-GCM. Encryption keys are stored separately from the database in environment variables and are never committed to source control.
Application data is stored in Supabase PostgreSQL. Production access is restricted to authorised team members who need access to operate, secure, and support the service.
Data is encrypted in transit with HTTPS/TLS. Infrastructure providers encrypt storage at rest where supported. Application-level encryption is applied to credential secrets before they are written to the database.
Supabase Row Level Security is enabled for public application tables, and public Supabase Data API roles are denied direct table access by default. Application code also enforces ownership checks so users can only access their own projects, clients, credentials, integrations, and notifications.
Backups are retained for up to 30 days. Account deletion requests schedule data for permanent deletion after a 30-day grace period unless retention is required for billing, legal, fraud prevention, security, or audit reasons.
Authentication
Finalizo supports Google OAuth and email magic links through Auth.js/NextAuth. Session cookies are HTTP-only where supported and are protected by secure production configuration.
Users are responsible for securing their email accounts, Google accounts, devices, and any team members they invite.
Payments
Payments, invoices, tax handling, billing portal sessions, and payment method storage are handled by Stripe. Finalizo does not store full card numbers, CVC values, or raw payment credentials.
Stripe webhook signatures are verified before billing events are processed.
Application Security
Finalizo uses server-side plan enforcement for gated features, rate limiting on sensitive routes, input sanitisation for user-provided text and rich text, and security headers including HSTS, frame protections, content type protections, referrer policy, permissions policy, and a content security policy.
Sensitive credential values are not logged and encrypted strings are not returned to clients as a substitute for decrypted authorised access.
API keys are stored as hashes rather than plaintext. OAuth tokens and integration tokens are encrypted before storage. Stripe webhook signatures are verified before billing events are processed.
Production access should use least-privilege permissions, two-factor authentication where available, and separation between application credentials, database credentials, and deployment credentials.
Compliance Roadmap
Finalizo is designed with SOC 2-style controls in mind, including access control, auditability, change management, incident response, encryption, and vendor review. Formal SOC 2 certification is on the roadmap as the product and customer base mature.
We review security controls as part of launch readiness and after material infrastructure changes.
Responsible Disclosure
If you believe you have found a security vulnerability, email security@finalizo.com with enough detail for us to reproduce and verify the issue.
Please do not access, modify, destroy, or exfiltrate data that does not belong to you. Please do not perform denial-of-service testing, social engineering, spam, physical attacks, or tests that degrade the service for other users.
We aim to acknowledge security reports within 3 business days and provide a status update within 10 business days after acknowledgement.
Scope
In scope:
- finalizo.com
- The Finalizo web application
- Finalizo API routes
- Client-facing handover and sign-off pages
Out of scope:
- Third-party services such as Stripe, Supabase, Vercel, Resend, Uploadthing, PostHog, or Google OAuth
- Issues requiring physical access to a user's device
- Vulnerabilities caused by a compromised user email account or OAuth provider account
- Automated scanner output without a demonstrated security impact
Acknowledgments
We may acknowledge valid vulnerability reports on this page if the reporter wants public credit and the issue has been resolved.
We do not currently operate a paid bug bounty program.
Contact
Security contact: security@finalizo.com
Privacy contact: privacy@finalizo.com