Trust & Security

This page describes the technical and organisational measures Faindo implements to keep your data secure. For full legal commitments, see our Privacy Policy and Data Processing Addendum.

Security contact: team@faindo.com

Infrastructure and hosting

Component	Provider	Details
Edge hosting & CDN	Cloudflare Workers	Global edge network; DDoS protection included
Database	MongoDB Atlas	Dedicated cluster; data encrypted at rest (AES-256)
Authentication	Firebase Authentication (Google)	Managed identity; password hashing; MFA support
API runtime	Cloudflare Workers	Stateless serverless; no persistent compute instances

Data is primarily hosted in the European Union (Frankfurt, eu-central-1 equivalent). Some subprocessors operate in the United States under applicable SCCs — see the subprocessor table below.

Encryption

In transit: TLS 1.2 or higher on all connections between client, edge, API, and database. HSTS is enforced on faindo.com.
At rest: MongoDB Atlas encrypts all data at rest using AES-256. Cloudflare Workers KV and storage are encrypted at rest by Cloudflare.
Authentication tokens: Firebase issues short-lived JWTs. Refresh tokens are managed by Firebase and are not accessible to Faindo application code.

Access control

Production database access is restricted to authorised Faindo personnel on a need-to-know basis.
Access is authenticated via MFA-enforced tooling.
Access events are logged and reviewed periodically.
No third-party vendor has broad production access unless contractually required and audited.

Vulnerability disclosure

If you discover a potential security vulnerability in the Faindo platform or infrastructure, please report it responsibly:

Email: team@faindo.com — include "Security" in the subject line.

We will acknowledge receipt within 2 business days and provide a resolution timeline. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Please do not test against live customer accounts or production data without prior written authorisation.

Incident response

In the event of a personal data breach affecting Customer data, Faindo will:

Notify affected Customers within 72 hours of becoming aware of the breach.
Provide details of the nature of the breach, data categories affected, and measures taken to contain it.
Cooperate with regulatory authority notifications where required.

Full obligations are set out in Section 8 of our DPA.

Subprocessors {#subprocessors}

The following third parties process data on Faindo's behalf. Each is bound by a data processing agreement. Changes to this list are notified to Customers at least 30 days in advance per our DPA.

Subprocessor	Purpose	Location	Privacy / Security
Google LLC (Firebase)	Authentication	USA	Security overview
MongoDB, Inc. (Atlas)	Database	USA (EU clusters available)	Security overview
Cloudflare, Inc.	Edge hosting, CDN	USA (global edge)	Trust hub
Calendly, LLC	Demo scheduling	USA	Privacy Policy
PostHog, Inc.	Product analytics (consent-gated)	USA / EU	Security overview
Google LLC (Google Analytics)	Web analytics (consent-gated)	USA	Privacy overview
Meta Platforms, Inc. (Meta Pixel)	Marketing attribution (consent-gated)	USA	Privacy Policy
OpenAI, LLC	AI model queries	USA	Security overview
Anthropic, PBC	AI model queries	USA	Usage Policy
Google LLC (Gemini)	AI model queries	USA	Google Cloud Security
Perplexity AI, Inc.	AI model queries	USA	Privacy Policy
xAI Corp (Grok)	AI model queries	USA	Privacy Policy

Compliance

GDPR (EU 2016/679): Faindo is a processor under GDPR when processing personal data on behalf of Customers. See our DPA for processor obligations, including Standard Contractual Clauses for international transfers.
Data residency: Primary data is stored in EU regions. Contact team@faindo.com to discuss specific data residency requirements.

Questions

For security questions or to request a security summary, write to team@faindo.com.