Skip to content

Security and Privacy First

We protect your data with the highest security and compliance standards

Last updated: November 2025

Security Overview

Fhinck adopts a Defense in Depth approach, implementing multiple layers of security controls across our entire infrastructure, applications, and operational processes.

Zero Trust

Privacy by Design

Data Minimization

Layered Defense

Transparency

1. Cloud Infrastructure

Secure and certified hosting

Google Cloud Platform (GCP)

Region: Oregon, USA

GCP Certifications:

  • ISO 27001: Information security management
  • SOC 2 Type II: Security and confidentiality controls
  • PCI-DSS: Payment card industry security standard
  • GDPR/LGPD Compliant: Data protection clauses (LGPD — Brazilian Data Protection Authority)

SLA & Availability:

GCP SLA: 99,95%

Fhinck Commitment: 99,5%

Serverless Architecture:

  • Cloud Functions & Cloud Run
  • Automatic scaling
  • Automatic security patches

Secure Databases

BigQuery (Data Warehouse):

  • AES-256 encryption at rest
  • Granular access controls
  • Complete query auditing

Firestore (NoSQL):

  • Automatic encryption
  • Custom security rules
  • Automated daily backups

Environment Segregation

Development

Synthetic or anonymized data

Staging

Isolated pre-production testing

Production

Protected and monitored environment

2. Encryption

Encryption in Transit

TLS 1.3 (Transport Layer Security)

  • All communications via HTTPS
  • SSL/TLS certificates renewed automatically
  • Hardened configuration (no weak ciphers)
  • HSTS (HTTP Strict Transport Security)

ClientTLS 1.3 → Load Balancer → Internal TLS → Backend

Encryption at Rest

AES-256 (Advanced Encryption Standard)

  • Data stored encrypted in BigQuery
  • Additional proprietary Fhinck encryption
  • Backups encrypted with AES-256-GCM

Key Management:

  • Google Cloud KMS
  • Automatic key rotation
  • Per-client separation (when contracted)

Password Hashing:

bcrypt (custo 12) - bcrypt (cost 12) — Resistant to brute-force attacks

Pseudonymization and Anonymization

Options available to clients:

Pseudonymization

ID replaced by unique hash

Full Anonymization

Removal of personal identifiers

Aggregation

Aggregated data only

3. Access Controls and Authentication

3.1. Multi-Factor Authentication (MFA)

Mandatory for all critical access:

Google Workspace (SSO)
GCP (infrastructure)
GitHub (source code)
1Password (secrets)
Fhinck Dashboard (recommended)

3.2. Single Sign-On (SSO)

Available Integrations:

  • SAML 2.0: Enterprise standard
  • OIDC: Modern identity protocol
  • Google, Azure AD, Okta, Auth0

Benefits:

  • Centralized identity management
  • Single credentials for multiple systems
  • Corporate password policies enforced
  • Instant access revocation

3.3. Role-Based Access Control (RBAC)

Granular profiles in the Dashboard:

Viewer

Read-only access

Analyst

Report creation

Manager

Department access

Administrator

Full management

Auditor

Log access

Principle of Least Privilege: Each user receives only the permissions required for their role.

4. Secure Software Development

SAST

Static Code Analysis

  • • ESLint Security Plugin
  • • Semgrep (OWASP/CWE)
  • • CodeQL (GitHub)

DAST

Dynamic Application Analysis

  • • OWASP ZAP
  • • Baseline & Full Scan
  • • API Security Scan

Vulnerabilities

Proactive Management

  • • npm audit (semanal)
  • • Snyk (contínuo)
  • • Dependabot (automático)

Vulnerability Remediation Timelines

CRITICAL

< 48h

HIGH

< 10 days

MEDIUM

Next sprint

LOW

Future release

Penetration Testing

Frequency

Annual

Last Performed

June 2025

Result

✓ No critical vulnerabilities

9. Privacy and Data Protection

LGPD Compliance

Status: Fully Compliant

Privacy Policy published
DPIA completed
DPO appointed and identified
Record of processing activities
Contractual clauses (DPA)
Incident response procedures
Mechanisms for exercising data subject rights
Transparency and consent

Roles and Responsibilities

Controller: Client

Determines the purposes and means of processing

Processor: Fhinck

Processes data according to Controller instructions

DPO: Michel Zarzour Filho

dpo@fhinck.com
(11) 98367-3803

Data Minimization

✓ We Collect

  • User ID, hostname
  • App metadata
  • Activity timestamps

✗ We Do NOT Collect

  • Screenshots
  • Keylogging
  • Document content

10. Security Incident Response

Response Process

1

Detection

0–2 hours

2

Containment

2–8 hours

3

Notification

Within 48h

4

Resolution

Post-incident

Emergency Response Team (ERT)

Michel Zarzour Filho

CIO/DPO

dpo@fhinck.com

André Murta

Tech Lead

support@fhinck.com

Paulo Castello

CEO

contato@fhinck.com

13. Audits and Certifications

Internal Audits

FrequencyAnnual
Last PerformedOctober 2025
NextOctober 2026
Result✓ COMPLIANT

Certifications

LGPD Compliance

Fully compliant

ISO 27001

Aligned

Marco Civil da Internet

Compliant

MTE Ordinance 671/2021

Compliant

OWASP Top 10

Mitigations implemented

Infrastructure (GCP)

ISO 27001

SOC 2 Type II

PCI-DSS

18. Contact and Support

Security

security@fhinck.com

Response within 48h

DPO

dpo@fhinck.com

Michel Zarzour Filho

Technical Support

support@fhinck.com

Mon–Fri, 9am–6pm BRT

Emergencies

ERT Team

24/7 for critical incidents

Our Commitment

The security and privacy of our clients' and users' data are absolute priorities at Fhinck. We continuously invest in technology, processes, and people to maintain the highest standards of protection.

Full transparency about our practices
Strict compliance with all applicable laws
Fast response to incidents and requests
Continuous improvement of our controls
Respect for data subjects' rights
Contact UsContact DPOPrivacy Policy

Last updated: November 2025 | Next review: June 2026