What security measures has Finch implemented to protect user data and how have they been integrated into the company's APIs?

Security is very important for us, given that we're touching such sensitive employee and employer information. Before we even started, we had to think about our compliance infrastructure and ensure that we built Finch in a compliant, secure manner. 

Right now, we have SOC2, CCPA, GDPR, and we're in the process of getting our HIPAA compliance for our health insurance and health benefits companies. Some of our customers are compliance companies like Secureframe or Vanta. We work alongside them to make sure that our system is also as compliant as possible and, to this end, we use their internal security resources to help us to raise the bar.

The second thing we’ve done is just add a permissions layer to our infrastructure. We know that these systems have a lot of sensitive information, so we built our infrastructure to the point where, if an application doesn't need an SSN, it will never be able to touch an SSN, and that’s just one example.

Third is our initial stance of taking a passthrough approach in terms of making a request. Making a request through Finch means making a request to the end infrastructure, so we don't have to store any sensitive information like Social Security or income, and that minimizes our surface area for attacks.