Your cost data, handled with care
FINSIMUL is built around a simple principle: we ask for the least access we need, we never change anything in your accounts, and we keep your data isolated and encrypted.
Read-only access
FINSIMUL connects to your cloud billing exports using least-privilege, read-only access. For AWS this is a cross-account IAM role you create and control, scoped to billing and usage data — we cannot create, modify or delete resources in your accounts.
Encryption in transit & at rest
All connections to FINSIMUL use TLS. Data is encrypted at rest in our hosting environment. The customer portal is served over HTTPS only, with HSTS enforced.
Strict tenant isolation
Every customer's data is logically isolated. Access is enforced at the database layer with row-level security so that one customer can never see another's data — isolation does not depend on application code alone.
Secrets, not keys in files
Credentials and connection secrets are held in a managed secrets store and referenced at runtime — never hard-coded and never committed to source control.
Authentication
Portal sign-in uses Google OAuth via the secure server-side authorization-code flow. Access is limited to users your organisation has authorised, and sessions use secure, HTTP-only cookies.
Audit logging
Changes to managed data are recorded in an append-only audit log capturing who did what and when, supporting accountability and investigation.
Hosting
FINSIMUL runs on Amazon Web Services in the Asia Pacific (Sydney) region (ap-southeast-2). Network access to data stores is restricted, and infrastructure is defined as code.
Data retention
We retain customer cost data and personal data only as long as needed to provide the service and meet legal obligations. Default retention periods are set out in our Privacy Policy and Data Processing Addendum. Enterprise customers can agree custom retention terms. [Published defaults to be confirmed.]
AI processing
Cost data slices and your supplied context are sent to our AI provider to generate report analysis and recommendations. This sub-processor is disclosed in our Sub-processor list, and the data shared is limited to what the analysis requires.
Compliance roadmap
We follow recognised FinOps and security best practice and are building toward formal attestations. [SOC 2 Type II / ISO 27001 status and timeline to be confirmed before publishing.]
Reporting a vulnerability
We welcome responsible disclosure. If you believe you have found a security issue, please contact security@finsimul.com. Our machine-readable policy is published at /.well-known/security.txt.