Security & Privacy

Your financial data is safe with us

We built FinSpec AI with the same rigour we'd demand of any tool handling our own finances. Here is exactly how we protect yours.

Data encryption

  • All data is encrypted in transit using TLS/HTTPS.
  • Data is encrypted at rest in our managed database infrastructure.
  • Integration tokens (e.g. Xero) are encrypted with AES-256 before storage.

Authentication and access

  • Authentication is managed by an enterprise-grade identity provider with multi-factor authentication (MFA) support.
  • Session management uses short-lived tokens with automatic rotation.
  • Role-based access controls restrict administrative functions to authorised personnel.

Read-only integrations

  • Our Xero integration requests only read-level scopes (trial balance reports). We cannot modify, delete, or transfer your accounting data.
  • Bank or ERP connections are read-only by design. FinSpec AI observes your data — it never changes it.

AI and your data

  • Financial data is sent to our AI analysis provider solely to generate your insights, commentary, and reports.
  • Our provider is contractually prohibited from using your data to train AI models.
  • Data sent for analysis is not stored by the provider beyond the request lifecycle.
  • Your data will never be sold, shared, or used for any purpose other than delivering the service to you.

Privacy and POPIA compliance

  • FinSpec AI complies with the Protection of Personal Information Act (POPIA) and applicable data protection legislation.
  • We use privacy-focused, cookie-free analytics that do not track individual users.
  • You retain full ownership of your data at all times.
  • Upon account deletion, your data is permanently removed within 30 days, except where retention is required by South African law.

Data retention and deletion

  • Financial data you upload is retained only while your account is active or as needed to provide the service.
  • You can delete individual uploads or your entire account at any time.
  • Account deletion triggers permanent removal of all associated data within 30 days.

Have a security question?

We take every inquiry seriously. Reach out and we'll respond promptly.

Contact Us

Last reviewed: 7 March 2026