Finvis
Security at Finvis

Audit-grade by default.

Finvis sits in the middle of your finance stack — between your banks, your ERP, your tax authority, and your board. The security model has to match.

We're read-only on most data. Payments require BankID. Every action is logged. Every figure has a source. EU data residency by default.

Standards
ISO 27001
In progress · 2026
Standards
SOC 2 Type II
Planned · 2027
Privacy
GDPR
Compliant · DPA available
Identity
BankID + MitID
Native · sign-in & approvals
Hosting
EU-only
Stockholm + Frankfurt
01 · Identity & access

BankID end-to-end.

Finvis uses Nordic eID for sign-in and for high-stakes actions like payment approval. Same identity, end to end, signed at the bank's level.

Email and password is available as a fallback. We don't allow email-only auth for payment approvals.

Sign-in
Sweden, Norway, Denmark, Finland

BankID, MitID, FTN. QR code cross-device flow on desktop, same-device on mobile.

Step-up
Re-auth before sensitive actions

Payment submission, settings changes, data export, and role changes require fresh eID signature.

Roles
Per-tenant, not global

A user can be CFO at one tenant and Operator at another. Permissions are scoped to tenant.

02 · Data residency & privacy

Your data stays in the EU.

Customer data is stored in the EU. No exceptions, no US transfers for analytics.

Connectivo AB is the GDPR controller. Our DPA is available before contract signing.

Where your data lives

Primary regionStockholm, Sweden
Failover regionFrankfurt, Germany
BackupsEU-only · encrypted
US data transfersNone

GDPR specifics

ControllerConnectivo AB
DPO contactdpo@finvis.se
Right to erasure≤ 30 days
Data exportCSV + JSON, anytime

Subprocessors · 4 in total

ProcessorPurposeRegionData scope
AWS FrankfurtApplication hosting, primary databaseEUAll customer data
Bankgirocentralen BGCBankgiro payment routingSEPayment instructions only
Finansiell ID-Teknik ABBankID integrationSEIdentity verification only
PostmarkTransactional emailEUEmail address + notification body
03 · Encryption & infrastructure

Encrypted everywhere it matters.

Customer data is encrypted at rest and in transit. Bank credentials and OAuth tokens are stored in HSM-backed key infrastructure.

We don't store bank passwords. Bank connections use Open Banking APIs and SFTP with key-based authentication.

In transit
TLS 1.3

All connections to and within Finvis are TLS 1.3 minimum.

At rest
AES-256-GCM

Database storage and backups encrypted. Sensitive fields use tenant-scoped keys.

Backups
Point-in-time recovery

35-day PITR window, EU-only, encrypted, with monthly restore tests.

04 · Audit & evidence

Every action, logged.

The product itself is the audit trail. Every transaction shows its source statement entry and every payment shows its lifecycle.

Audit log is exportable as CSV, PDF, or signed JSON for forensic verification.

Audit log event shape
8 events · Export as JSON
timestamp             actor.action    object_type            actor             evidence
created_at            user.create     payment_instruction  authenticated user  eID signature
submitted_at          system.submit   payment_batch        bank channel       pain.001
accepted_at           system.receive  payment_batch        bank channel       pain.002 ACCP
statement_at          system.receive  statement            bank channel       camt.053
matched_at            system.match    cash_movement        reconciliation     confidence score
05 · Operations

Boring on purpose.

Most security incidents come from operational sloppiness, not exotic attacks.

We invest in separation of duties, code review, change management, on-call discipline, and post-incident reviews.

Engineering practice

  • Two-person review on every production change
  • Production access requires BankID + reason logged
  • No standing access to customer data
  • Quarterly access review

Incident response

  • 24-hour customer notification on confirmed incidents
  • 72-hour GDPR breach notification
  • Post-mortem for customer-impacting incidents
  • Status page at status.finvis.se
For your security team

Documents and contacts.

Most of what your security team needs is already public. The rest is available before contract signing under NDA.

Public documents

  • Privacy policy
  • Terms of service
  • Subprocessor list
  • Security whitepaper (PDF)
  • Cookie policy

Available under NDA

  • Penetration test reports
  • SOC 2 readiness gap analysis
  • Architecture diagrams
  • Disaster recovery tests

Direct contact

  • security@finvis.se
  • dpo@finvis.se
  • status.finvis.se
Finvis

Have a security question we didn't answer?

Email us. We answer security questions before sales conversations, not after.

security@finvis.se