Figg – Risk Management

Figg Architecture
TL;DR: Figg is a safe and secure platform for users to track, build, and share their financial insights easily and flexibly. This page provides a high-level overview to assure users of Figg’s trustworthiness. The purpose of this program is to identify, evaluate, and remediate risks and security threats relevant to Figg’s business.

The Figg CEO reviews this program and updates this document at least quarterly to maintain accuracy and relevance, and to align security and risk posture with industry best practices as the company scales. All updates are communicated to Figg employees and contractors as necessary.

Priority
At Figg, our first priority is always security and privacy. While our remarkable user experience motivates the team to innovate every day, the safety of our users’ data remains our top priority. We understand that without our users’ trust, any technical product cannot go far. Therefore, we reassure our customers that their data is securely handled in every area of the platform.

Your Data
Figg uses third-party data service providers, such as Flanks, to connect users to their financial institutions with bank-grade security. Our servers will never see or store any financial account credentials. We only maintain read-only access to users’ data and fetch it on demand. We do not have the ability to move funds of any kind, transact in any way and we never access information without users’ permission.

The Advanced Encryption Standard (AES-256) and Transport Layer Security (TLS) ensure that users’ personal information is safe. Moreover, we never sell users’ data. We are solely funded by subscriptions and support from our users.

Our Architecture
Figg never sees, stores, or copies users’ financial account credentials. Even in the unlikely event of server breaches, users’ credentials remain entirely safe. Our computing layer is built on top of AWS, leveraging its most secure settings for computing cluster, network, and storage.

All financial data is fetched live during user sessions and used in memory for calculation. Occasionally, an ephemeral local cache could be employed to improve user experience. Users have their own individual space to handle their data connections and computing logic application. In Figg, users can create unlimited documents to organise, edit, and configure their financial insights. Every document serves as a snapshot of live data and connects and refreshes when the user session is on.

Security & Privacy

Security & Privacy is our top priority. Using our platform guarantees the following:

– Each individual space is not accessible by others without the owner’s access privilege.
– No one can access a user’s space, including Figg employees, unless the user requests us to diagnose an account issue.
– When a user shares a document as a template, they can obfuscate their snapshot information to some random values.
– Users have the right to close their Figg account at any time, and all their account information, documents, and shared information will be removed permanently from our systems.
– We heavily vet third-party services, such as Flanks, to ensure trusted data connections that undergo rigorous security audits and comply with internationally recognised security standards, such as ISO 27001, ISO 27701, and SSAE18 SOC 2.

Information Security
As a software company, Figg acknowledges information security risks. The program scope covers the following risk areas:

– Figg Production Environment.
– Auxiliary Production Environment Services, such as third-party vendor services and APIs, like Flanks, critical to the operation of the Production Environment.
– Corporate Environment, including contents and access to key cloud-based SaaS tools, like Google Workspace, Slack, and Github, where important documents and communications are maintained.

Deeper Look into the Architecture
Figg operates at three layers when connecting users to their financial data:

– Layer-1: Data Source: Figg partners with the widely used data service Flanks to connect users to their financial institutions for information like transactions and account balances. Figg fetches data on demand using Flanks data API.
– Layer-2: Data Computing: Figg computing layer is built on top of AWS, with every user having their own individual space to handle their data connection and computing logic application. Figg does not store users’ financial data anywhere or make any copy of it. Data resides only in the memory of the cluster during user sessions.
– Layer-3: Data Display: The Figg app is the user interface where users sign in using their credentials. After signing out of the app, no track or trace of users’ data is left in the browser. Every document in Figg serves as a snapshot of live data and connects and refreshes when the user session is on.

Permissions & Data Access Management
Physical Access risks are via employees, contractors, and vendors, and risk mitigation is delegated to those parties. Figg guarantees the following:

– Each individual space is not accessible by others without the owner’s access privilege.
– No one can access a user’s space, including Figg employees, unless the user requests us to diagnose an account issue.
– When a user shares a document as a template, they can obfuscate their snapshot information to some random values.
– Users have the right to close their Figg account at any time, and all their account information, documents, and shared information will be removed permanently from our systems.

Asset Management
Figg does not currently maintain physical assets. All employees, contractors, and vendors provide their own devices and are responsible for the maintenance and disposition of those devices. These devices access Corporate and Production environments through cloud-based SaaS software.

Vendor Management
Figg relies heavily on SaaS and Professional Services vendors. All vendors must be established, credible, and follow established information security practices. They must be recorded in the Figg vendor log, and Figg imposes information security requirements on them.

Employees and Contractors
Employees and contractors developing features used by customers must maintain familiarity with Figg’s best security practices. Employees and contractors accessing Production or Corporate Networks and Environments must familiarise themselves with this Information Security program.

They must provide their own computing devices, maintain appropriate physical security of those devices, and install appropriate anti-virus and anti-malware software. Figg will reimburse employees for security measures. Contractors must follow the standard in all contracts. Further employment screening practices will be enhanced as Figg scales.

More Questions
Figg welcomes questions and discussions from users. Please join our user community or reach out to us directly at [email protected]