Trust Center

Security and compliance at Fimil

Controls implemented

Vendors assessed

Policies published

Download Compliance Report

37 of 41 controls implemented

Implemented Partial Planned

01 — Compliance

Frameworks

SOC 2 Type II

In Progress

Controls aligned with Trust Services Criteria. Formal audit planned post-seed.

Verified: March 2026

ISO 27001:2022

In Progress

ISMS framework established with comprehensive policy suite and controls implemented. Certification planned for 2027.

Verified: March 2026

NIST CSF 2.0

In Progress

Comprehensive mapping to the six CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). ~75% coverage implemented; pending external validation.

Verified: March 2026

CIS Controls v8

In Progress

Implementation-focused security controls aligned across all 18 control groups. ~70% coverage implemented; formal gap assessment and external validation pending.

Verified: March 2026

OWASP ASVS Level 2

In Progress

Application Security Verification Standard covering authentication, session management, access control, input validation, and API security. Core to our identity as an AppSec platform.

Verified: March 2026

GDPR

In Progress

EU General Data Protection Regulation. Privacy policy, DPAs, cookie consent with audit trail, and breach notification implemented. DSAR automation and DPIAs in progress.

Verified: March 2026

CCPA/CPRA

In Progress

California Consumer Privacy Act and California Privacy Rights Act. Privacy disclosures and cookie consent implemented. Consumer request workflows in progress.

Verified: March 2026

CSA STAR Level 1

In Progress

Cloud Security Alliance STAR Level 1 self-assessment completed via CAIQ v4 (261 questions across 17 security domains). Self-assessment published on trust center. Formal registry submission planned.

Verified: March 2026

FedRAMP Li-SaaS

In Progress

Low-Impact SaaS authorization prerequisites in progress: System Security Plan, Continuous Monitoring Plan, network boundary documentation, and federal incident reporting procedures completed. FIPS 140-2 KMS integration and 3PAO engagement pending.

Verified: March 2026

FedRAMP

Planned

Full Federal Risk and Authorization Management Program authorization at Moderate baseline. Requires 3PAO assessment and JAB or Agency authorization.

Verified: March 2026

Cyber Essentials

In Progress

UK government-backed cybersecurity certification. All five technical controls implemented: firewalls (Cloudflare WAF), secure configuration (container hardening), user access control (RBAC with MFA), malware protection (scanner isolation, Falco monitoring), and security update management (Dependabot, Trivy). Formal self-assessment certification pending.

Verified: March 2026

SLSA Framework

In Progress

Build provenance attestation via GitHub Actions, SPDX SBOMs generated for all container images, and Cosign keyless image signing implemented. Formal SLSA L2 assessment and registry pending.

Verified: March 2026

02 — Security Controls

Controls

Data Protection

4/5

Encryption at Rest

Database encryption at rest via managed provider (AES-256). Application-layer encryption using Fernet (AES-128-CBC with HMAC-SHA256 authentication) for sensitive fields including OAuth tokens and API credentials.

Verified: March 2026

Encryption in Transit

TLS 1.2+ enforced on all connections. HSTS enabled. Certificate management via Let's Encrypt with automated renewal.

Verified: March 2026

Data Classification

Four-level classification scheme (Public, Internal, Confidential, Restricted) with defined handling requirements per level.

Verified: March 2026

Data Retention & Deletion

Documented retention schedules per data category. Source code is ephemeral — cloned, scanned, and deleted (never persisted). Configurable report retention. Automated DSAR export and erasure endpoints with anonymization.

Verified: March 2026

Key Lifecycle Management

Versioned encryption key rotation via MultiFernet — new data encrypted with latest key, old data decryptable with any known key. Re-encryption tooling for key migration. KMS integration planned for FIPS 140-2 requirements.

Verified: March 2026

Privacy & Data Rights

4/5

Cookie Consent & Tracking

Granular cookie consent with Accept/Reject/Customize options. Three categories (Necessary, Functional, Analytics). Full audit trail with IP, user agent, timestamp, and consent version. DNT signal respected.

Verified: March 2026

Privacy Notices & Transparency

Privacy Policy, Cookie Policy, and Data Processing Agreement published. Data collection practices disclosed per GDPR Articles 13-14 and CCPA requirements.

Verified: March 2026

Data Subject Request Handling

Admin API endpoints for data export (GDPR Article 15) and erasure (GDPR Article 17) with full user data portability. Anonymization preserves audit trail while removing PII. Session invalidation on erasure.

Verified: March 2026

Data Protection Impact Assessments

Formal DPIA process (FIMIL-DPIA-001) per GDPR Article 35 with six defined trigger criteria, step-by-step assessment methodology, fillable template with risk matrix, DPO review and sign-off workflow, and maintained DPIA register.

Verified: March 2026

International Data Transfers

DPAs executed with all subprocessors. Standard Contractual Clauses (SCCs) for EU-to-US transfers planned for annexation to DPA.

Verified: March 2026

Access Control

4/4

Role-Based Access Control

Five-level RBAC hierarchy enforced at every API endpoint. Tenant-level isolation with row-level data separation.

Verified: March 2026

Authentication Security

Strong password policy (12+ chars, Argon2id hashing), TOTP-based MFA with recovery codes, account lockout after failed attempts, automated brute force and credential stuffing detection. OAuth2/OIDC federation supported for customer SSO.

Verified: March 2026

Privileged Access Management

Privileged operations logged with full attribution. Impersonation restricted with 1-hour session caps and complete audit trail.

Verified: March 2026

Access Reviews

Automated access review reports via operator portal: stale user detection (90+ days inactive), unused API token auditing, privileged user inventory across tenants. Automated deprovisioning on account deactivation with bulk token revocation.

Verified: March 2026

Infrastructure Security

6/6

Container Hardening

All containers run as non-root with read-only filesystems, dropped capabilities, and no-new-privileges flag. Scanner containers are fully network-isolated.

Verified: March 2026

Network Segmentation

Kubernetes network policies enforce strict pod-to-pod communication rules. Scanner workloads run with no network access.

Verified: March 2026

Runtime Monitoring

Falco-based runtime security monitoring with custom detection rules for process anomalies, file integrity changes, and container drift.

Verified: March 2026

Vulnerability Management

Container image scanning (Trivy) in CI/CD blocks deployment on critical vulnerabilities. SAST scanning (Semgrep, Bandit) runs on own codebase via GitHub Actions. Fimil scans its own repositories through the platform.

Verified: March 2026

Asset Inventory

Formal asset register (FIMIL-AM-001) with 25+ assets classified across infrastructure, software, data, external services, and code repositories. Quarterly review cycle with ownership tracking and lifecycle management.

Verified: March 2026

Web Application Firewall

Cloudflare WAF deployed with managed rulesets for OWASP Top 10 protection, bot management, and rate limiting at the edge.

Verified: March 2026

Application Security

5/5

Secure Development Lifecycle

CI pipeline enforces linting, testing, type checking, SAST (Semgrep, Bandit), and container scanning. Pre-commit hooks catch issues before code reaches the repository. Fimil scans its own repositories through the platform.

Verified: March 2026

Input Validation & Injection Prevention

Pydantic schema validation on all API inputs. ORM-based parameterized queries prevent SQL injection. CSRF protection via double-submit cookie pattern.

Verified: March 2026

Secret Management

Sealed secrets for production credentials. API tokens stored as SHA256 hashes. Secret scanning in pre-commit hooks and CI pipeline.

Verified: March 2026

Rate Limiting & Abuse Prevention

Distributed rate limiting per endpoint category. Automated brute force detection and IP blocking. Credential stuffing detection with alerting.

Verified: March 2026

Threat Modeling

Formal threat model (FIMIL-TM-001) using STRIDE methodology covering the three highest-risk areas: scanner execution pipeline, authentication & session management, and multi-tenant data isolation. 16 threats identified with likelihood/impact scoring and prioritized remediation. Reviewed annually or upon significant architecture change.

Verified: March 2026

Incident Response

3/3

Incident Response Plan

Documented IR plan with four severity levels, defined response phases, escalation procedures, and communication templates.

Verified: March 2026

Breach Notification

Customer notification procedures documented with defined timelines aligned to GDPR (72-hour) and CCPA requirements.

Verified: March 2026

Audit Logging

40+ security-relevant event types logged with full attribution: actor, tenant, IP, user agent, and request correlation ID.

Verified: March 2026

Business Continuity

2/3

Backup & Recovery

Nightly encrypted backups to offsite storage (S3). Documented restore procedures with RTO of 4 hours and RPO of 24 hours.

Verified: March 2026

High Availability

Horizontal pod autoscaling with pod disruption budgets. Rolling deployments with zero-downtime guarantee and automatic rollback. Single-region deployment; multi-region failover and Redis HA planned.

Verified: March 2026

Disaster Recovery Testing

DR test completed successfully (March 2026). Backup restore validated with documented RTO/RPO. Semi-annual testing schedule established.

Verified: March 2026

Vendor Management

2/2

Vendor Risk Assessment

Three-tier vendor classification with documented risk assessments for all critical and significant vendors.

Verified: March 2026

Data Processing Agreements

DPAs executed with all vendors who process customer data. Exit strategies documented for critical vendors.

Verified: March 2026

Governance

3/4

Policy Framework

Comprehensive policy suite: ISMS, Access Control, Data Governance, Incident Response, Change Management, People Security, Vendor Risk Management.

Verified: March 2026

Risk Management

Formal risk assessment methodology with risk register, treatment plans, and annual review cycle.

Verified: March 2026

Independent Security Review

External penetration test and independent security audit planned.

Verified: March 2026

Continuous Compliance Monitoring

Continuous monitoring program with automated controls (Dependabot, Trivy, Falco, Cosign) and scheduled manual reviews (quarterly access reviews, semi-annual DR testing, annual risk assessment). Monthly vulnerability reporting and quarterly ConMon status reports.

Verified: March 2026

Supply Chain Security

4/4

Software Bill of Materials (SBOM)

Syft integrated as a scanner for customer repositories. SPDX SBOMs generated for all container images in CI/CD pipeline via anchore/sbom-action and retained as build artifacts.

Verified: March 2026

Build Provenance & Attestation

Cryptographic build provenance attestation generated via actions/attest-build-provenance for all container images. GitHub Actions CI/CD provides hosted build platform with OIDC-based identity.

Verified: March 2026

Container Image Signing

All container images signed with Cosign (keyless via Sigstore/Fulcio) after vulnerability scanning passes. Signatures stored alongside images in the container registry.

Verified: March 2026

Dependency Integrity

Lockfiles (package-lock.json, poetry.lock) pin dependency versions. Reachability analysis classifies direct vs. transitive dependencies. Dependabot configured for automated dependency updates across all repositories.

Verified: March 2026

03 — Subprocessors

Vendors

Vendor	Purpose	Location	DPA
Cloudflare	CDN, DNS, DDoS protection, WAF	Global (anycast)	→
DigitalOcean	Cloud infrastructure (compute, Kubernetes, managed database)	United States	→
GitHub	Source code hosting, CI/CD, repository integrations	United States	→
PostHog	Product analytics (consent-gated)	United States	→
Resend	Transactional email delivery	United States	→
Stripe	Payment processing and billing	United States	→

Cloudflare

DPA →

CDN, DNS, DDoS protection, WAF

Global (anycast)

DigitalOcean

DPA →

Cloud infrastructure (compute, Kubernetes, managed database)

United States

GitHub

DPA →

Source code hosting, CI/CD, repository integrations

United States

PostHog

DPA →

Product analytics (consent-gated)

United States

Resend

DPA →

Transactional email delivery

United States

Stripe

DPA →

Payment processing and billing

United States

Last updated: March 2026

Questions about subprocessors? [email protected]

04 — Documents

Policies

Privacy Policy → Terms of Service → Data Processing Agreement → Service Level Agreement → Acceptable Use Policy → Cookie Policy → Security Policy →

05 — Questionnaires

Pre-filled Assessments

Browse our completed security questionnaires. Each assessment is pre-filled with our current security posture.

Questionnaire	Questions	Yes	Partial	No	N/A	Coverage
MVSPv2.0	25	18	4	1	2	78%
CAIQ v4v4.0	261	171	53	12	25	72%
VSA Fullv2021	112	83	17	11	1	75%
VSA Corev2022	109	77	13	15	4	73%

MVSP

v2.0

25 questions · 4 sections

Minimum Viable Secure Product checklist — 25 baseline security controls for B2B software.

Browse Questionnaire →

CAIQ v4

v4.0

261 questions · 17 sections

Cloud Security Alliance Consensus Assessments Initiative Questionnaire — 261 questions across 17 security domains aligned with the Cloud Controls Matrix.

Browse Questionnaire →

VSA Full

v2021

112 questions · 8 sections

Vendor Security Alliance Full questionnaire — comprehensive security assessment covering data protection, policies, proactive and reactive security, software supply chain, and compliance.

Browse Questionnaire →

VSA Core

v2022

109 questions · 6 sections

Vendor Security Alliance Core questionnaire — focused security and privacy assessment covering key controls, CCPA/CPRA, and GDPR requirements.

Browse Questionnaire →

06 — Changelog

Recent Updates

2026-03-18

TOTP MFA implemented

Two-step login with encrypted secrets and recovery codes

2026-03-18

Argon2id password hashing

Migrated from bcrypt with transparent rehash on login

2026-03-18

SLSA Build L2 provenance

Build attestation, SPDX SBOMs, and Cosign image signing in CI/CD

2026-03-18

Cloudflare WAF deployed

Managed rulesets for OWASP Top 10 protection

2026-03-18

DR test completed successfully

Backup restore validated with documented RTO/RPO

2026-03-18

DSAR automation

GDPR data export and erasure admin endpoints

2026-03-18

Threat model published

STRIDE methodology covering scanner pipeline, auth, and multi-tenancy

2026-03-18

GPG signed commits required

Branch protection with required CI checks on all repositories

2026-03-16

Dependabot configured

Automated dependency updates across all repositories

2026-03-16

Encryption key rotation

MultiFernet versioned keys with re-encryption tooling

Showing 10 of 11 entries.

Have security questions?

We're happy to answer security questionnaires, provide additional documentation, or schedule a call to discuss our security posture.

Contact Security Team →