Electronically Signed By:
Rafael Jara
Information Classification & Handling Policy & Program
Organization: Fintable, Inc.
Owner: Security & Compliance
Approved by: Rafael Jara
Approval Date: 2025 August 15
Review Cadence: Annual or upon material change
Introduction:
Fintable, Inc. processes sensitive financial and personal information on behalf
of our customers. This Information Classification & Handling Policy & Program
outlines the classification of information and the mandatory handling
requirements for each class. It aligns with our public Privacy & Security Policy
(https://fintable.io/privacy-policy) and serves as the foundation for our
security controls, vendor management, and incident response.
The primary objectives of this program are to safeguard the confidentiality,
integrity, and availability of information. It also aims to fulfill legal and
contractual obligations, such as GDPR/CCPA compliance where applicable, and SOC
2/ISO 27001-aligned practices. Additionally, it facilitates safe and efficient
operations.
This document applies to all Fintable personnel, systems, and third parties
involved in processing Fintable data. It establishes controls throughout the
entire data lifecycle, including collection, access, storage, transmission,
sharing with processors, retention, and secure disposal. Furthermore, it
includes labeling rules, access control expectations, encryption standards,
monitoring measures, and data subject rights handling.
Purpose & Scope:
The purpose of this policy is to ensure the proper classification and handling
of sensitive information within Fintable, Inc. It establishes guidelines for the
classification of information and the corresponding handling requirements for
each class. The scope of this policy extends to all personnel, systems, and
third parties that process Fintable data.
This policy establishes a common language and program for classifying
information and outlining the handling requirements for each class. It applies
to all Fintable personnel, including employees, contractors, and interns, as
well as to production and corporate systems. Additionally, it extends to third
parties processing Fintable data. The program aligns with Fintable’s published
Privacy & Security Policy (https://fintable.io/privacy-policy).
3) Authoritative References
- Fintable Privacy & Security Policy (available on the public website): This
policy outlines the separation of payment data from core service data, the use
of bank APIs, encryption in transit and at rest, the need-to-know access
principle, the approval of third parties, deletion practices, and breach notice
commitments.
4) Definitions
- PII (Personally Identifiable Information): Any data that can identify an
individual, such as their name, email, or phone number.
- Customer Financial Data (Core Service Data): This refers to transaction and
account information obtained through bank APIs specifically for syncing to
designated customer destinations, such as Airtable. It’s important to note that
Fintable does not collect or store bank credentials.
- Payment Information: Billing events are processed by Stripe, and Fintable does
not collect card or account numbers.
5) Data Classification Scheme
Fintable information is categorized into four levels of classification. The
examples provided below are illustrative and not exhaustive.
Class | Definition | Typical Examples
-------------|---------------------------------------- |-----------------------------------
Public | Approved for public release | Marketing pages, public docs
Internal | Business-as-usual non-sensitive info | Internal process docs, general
| | metrics
Confidential | Operational data that could cause harm | Support tickets, limited metadata,
| if disclosed | non-public roadmaps
Restricted | PII and Customer Financial Data; | Names/emails/phones; transaction &
| security secrets | account data from bank APIs; API
| | keys/secrets
Sharing & Access:
- Public: Unrestricted; no auth required
- Internal: Fintable personnel only
- Confidential: Need-to-know; manager or data owner approval
- Restricted: Strict need-to-know; least privilege; additional controls
Notes: Customer financial data and Personally Identifiable Information (PII) are
at a minimum Restricted level. Payment card data is not stored on Fintable
(Stripe processor model).
6) Handling Procedures (by lifecycle)
6.1) Collection & Purpose Limitation:
- Collect only the necessary data to provide the Fintable service and operate
the website/app (e.g., contact information, transaction and account data via
bank APIs to sync to destinations like Airtable).
6.2) Access Control & Least Privilege:
- Restricted data access is granted on a need-to-know basis. Production database
access is restricted and prohibited for junior personnel without a demonstrated
operational need. Viewing customer transaction data requires a specific customer
support request. Access reviews are conducted at least annually and upon role
changes.
6.3) Storage & Encryption:
In transit, SSL/TLS is used for all API connections and data movement. At rest,
sensitive secrets like Airtable API keys are encrypted or protected with strong
encryption. Error monitoring employs a self-hosted or on-premise tool to prevent
third-party leakage.
6.4) Transmission & Processing
Restricted data is transmitted only through encrypted channels and to approved
processors necessary for delivering the core syncing service (e.g.,
Plaid/Finicity/Tink, Airtable; Stripe for billing; analytics as disclosed).
6.5) Third-Party Management
Fintable restricts sharing to essential third parties, including Plaid,
Airtable, Stripe, and Google Analytics. No transaction data is sold without
explicit permission. Vendors must implement security measures at least as
stringent as Fintable’s requirements.
6.6) Retention
Restricted data is retained only as long as needed for its stated purpose and
legal obligations. Whenever possible, minimize the storage of transaction
payloads after successful syncing.
6.7) Deletion & Disposal
Transaction data is deleted from Fintable servers immediately upon the customer
clicking “Disconnect” from Airtable. Bank-related information (excluding
customer-identifying PII required for account purposes) is deleted upon request.
However, if third-party or system issues arise, manual deletion may take up to 6
months. Secure wipe processes are used for logical deletion, and media disposal
follows industry best practices.
6.8) Logging & Monitoring
Security logs are regularly reviewed, and code, logs, and databases are audited
for intrusions and violations. Automated stability and error monitoring is
performed on-premise.
7) Incident Response & Breach Notification
Fintable adheres to the Fair Information Practice Principles and commits to
emailing customers within 30 business days if a breach occurs. Incident Response
(IR) procedures encompass detection, containment, assessment, notification, and
lessons learned.
7.1) Data Subject Rights
Fintable responds to customer requests regarding their data in accordance with
published privacy commitments and applicable laws.
7.2) Analytics & Marketing
Non-Personally Identifiable Information (PII) visitor data may be used for
marketing and analytics. Third-party behavioral tracking, such as Google
Analytics, is disclosed publicly. However, such data is treated as Confidential
at a minimum internally.
7.3) Children's Privacy
Fintable does not market to children under the age of 13.
8) Data Labeling & Handling Rules
Data labeling and handling are governed by specific rules:
- Public data: No special handling is required.
- Internal data: Data should be shared within Fintable and not published.
- Confidential data: Data should be marked as “Confidential,” stored in approved
systems, and shared only with personnel who need it.
- Restricted data: Data should be marked as "Restricted," stored only in
approved encrypted systems, require multi-factor authentication (MFA), prohibit
copying to personal devices, and prohibit sharing in tickets or Slack unless
strictly necessary. Use ephemeral links or redaction instead.
8.1) Roles and Responsibilities
Roles and responsibilities are as follows:
- The Security and Compliance (Owner) is responsible for maintaining this
policy, conducting access reviews, vendor risk reviews, and Incident Response
exercises.
Engineering: Implement encryption, logging, and the principle of least
privilege. Follow secure coding and deletion procedures.
Support: Access restricted data only with a tracked customer request and adhere
to redaction guidelines.
All Personnel: Complete security training, report incidents immediately, and
follow classification and handling rules.
Vendors/Processors: Protect FinTech data as per agreements and notify FinTech of
incidents affecting our data.
9) Training & Awareness:
New hires complete security and privacy training within
30 days. All personnel retrain at least annually, including classification and
handling expectations.
10) Exceptions:
Temporary exceptions require Security & Compliance approval,
documented justification, compensating controls, and an expiry date.
11) Review & Maintenance:
Security & Compliance reviews this policy at least
annually and upon significant changes in systems, vendors, or legal
requirements. Public-facing privacy content is also reviewed for consistency.
Appendix A — Classification Matrix (Examples)
Data Element | Class | Rationale / Handling
-----------------------------------------|------------------------------|-----------------------------
Website marketing content | Public | Approved for public release
Customer name, email, phone | Restricted (PII) | Identify a person → encrypt
| | at rest; least privilege;
| | log access
Transaction payloads (date/amount/ | Restricted (Customer | Highly sensitive financial
merchant) & account balances obtained | Financial Data) | data → limit processing to
via bank APIs | | sync purpose; encrypted in
| | transit/at rest; strict
| | access; delete on
| | disconnect
Payment card data | N/A at Fintable | Processed by Stripe; not
| (processor-handled) | collected or stored by
| | Fintable
Airtable API keys (customer-provided) | Restricted (Secrets) | Encrypted at rest; rotate
| | on compromise; minimal
| | exposure
Error logs (on-premise monitoring) | Confidential → Restricted | On-prem; avoid sensitive
| if containing PII | payloads; scrub/redact
Analytics events (non-PII) | Confidential | Limit to disclosed purpose;
| | vendor list as published
Approved By:
Rafael Jara
Vice President
Electronically Signed By:
Rafael Jara