Login

Try Free

Login

Try Free
Log in
Try Free

Section A: Terms of Service

Executive summary

Finsider, Inc. (“Finsider”) provides a financial analytics SaaS that ingests accounting, banking, and tax data. These Terms govern accounts, use, data handling, integrations, security, subprocessors, payments, suspension and termination, indemnities, liability limits, Wyoming law, and AAA arbitration. The DPA, Security Schedule, Subprocessor Appendix, No Training Addendum, and Data Retention Schedule form part of these Terms.

1. Acceptance of terms and account registration

  • By creating an account or using the Service, you accept these Terms on behalf of yourself or the business you represent and you warrant authority to bind that business.
  • Minimum age 18. If 13 to 17, use requires parent or guardian consent. Users under 13 are not permitted.
  • You must provide accurate registration and billing details and keep credentials secure.

2. Authorized users, access, and credentials

  • You may authorize employees, contractors, or advisors to access the Service. You are responsible for their actions and for compliance with these Terms.
  • Credentials are individual and must not be shared. You must promptly disable access for departed personnel.

3. Services, beta features, and modifications

  • The Service provides data ingestion, analytics, reporting, and alerting. Pre-release features labeled beta are provided as is and may change or be withdrawn.
  • We may modify the Service. If a change materially reduces core functionality, you may terminate the affected Service and receive a pro rated refund of prepaid fees.

4. Customer Data, financial data sources, and data portability

  • Customer Data means data you or your users provide or connect, including accounting, banking, tax, documents, and outputs.
  • You own Customer Data. We process Customer Data to provide the Service and for other uses permitted in these Terms and the Privacy Policy.
  • Portability. During the term and for 30 days after termination, you may request a machine readable export. After retention windows lapse, data is deleted per the Data Retention Schedule.

5. Third party integrations and APIs

  • Railz authorization. During onboarding you authorize Railz to connect to your accounting and banking systems so we can ingest the necessary data.
  • Doable as processor. Doable operates only as Finsider’s processor. Users do not grant Doable a direct sync. Doable follows our instructions and the DPA, including the No Training Addendum.
  • Other subprocessors. We maintain a Subprocessor Appendix. We provide 30 days advance notice of additions or replacements and offer an objection process as set out in the DPA.

6. Acceptable use and prohibited activities

You will not: break laws, infringe IP, upload malicious code, probe or attack the Service, resell without consent, scrape, misrepresent identity, harass or discriminate, or use outputs to develop competing models or services. AI outputs are informational and may be inaccurate. Do not rely on them as professional advice without independent review.

7. Intellectual property, feedback license, and open source notices

  • We own the Service and all related IP. You receive a limited, non exclusive, non transferable license to use the Service for your internal business purposes during the term.
  • Feedback. You grant us a royalty free, worldwide, irrevocable license to use feedback to improve the Service.
  • Open source components are provided under their respective licenses. Notices are available upon request.

8. Confidentiality and data security obligations

  • Each party will protect the other’s Confidential Information using at least reasonable care and will use it only to perform under these Terms.
  • Security. We implement controls consistent with industry standards, including AES 256 at rest, TLS 1.2 or higher in transit, access control, logging, vulnerability management, and tested backups. We maintain a SOC 2 Type 1 report for Security. We have not pursued other certifications at this time.

9. Subprocessors and 30 day advance notice

  • We remain responsible for subprocessors. We will flow down confidentiality, security, no training, deletion, and assistance obligations.
  • We will provide 30 days advance notice for new or replacement subprocessors through a public page or email subscription. If you reasonably object, we will work in good faith to mitigate. If unresolved, you may terminate the affected Service and receive a pro rated refund.

10. Service levels, support, maintenance, and disaster recovery

  • Target uptime 99.5 percent monthly, excluding scheduled maintenance, force majeure, and beta features.
  • Support hours 9 a.m. to 5 p.m. Eastern Time, Monday to Friday, excluding holidays.
  • Disaster recovery. We maintain documented backup and recovery plans and conduct periodic restore tests.

11. Payment, taxes, free trials, and fee changes

  • Fees are stated in your order or online plan. You authorize charges to your payment method. Fees are non refundable except where these Terms state otherwise.
  • Taxes. Fees exclude taxes. You are responsible for applicable taxes other than our income taxes.
  • We may change fees for renewal terms with advance notice on our site or by email.

12. Term, suspension, and termination

  • Term runs from activation until terminated. Either party may terminate for material breach not cured within 30 days of notice.
  • We may suspend for nonpayment, security risk, or unlawful use. We will notify when practicable.

13. Data return and deletion on termination

  • Upon termination or request, we will return Customer Data in a machine readable format. We will delete Customer Data following the Data Retention Schedule and provide a deletion confirmation upon request.

14. Warranties and warranty disclaimers

  • Each party warrants it has authority to enter these Terms. The Service is provided as is and as available. We disclaim implied warranties to the maximum extent permitted by law.

15. Indemnification

  • We will defend and indemnify you against third party claims that the Service infringes IP, conditioned on your prompt notice and cooperation, and our control of defense and settlement. We may procure rights, modify the Service, or refund fees for the remaining term if continued use is enjoined.
  • You will defend and indemnify us for third party claims arising from Customer Data, your use in violation of law or these Terms, or combinations not provided by us.

16. Limitation of liability

  • Cap. Each party’s aggregate liability arising out of or relating to these Terms is limited to the fees you paid for the Service in the 12 months before the first event giving rise to liability.
  • Exclusions. Neither party is liable for indirect, incidental, special, consequential, or punitive damages, or lost profits or revenues, even if advised of the possibility.
  • Carve outs. The cap does not apply to your payment obligations, your violation of our IP rights, or your indemnity obligations.

17. Compliance, export controls, sanctions, and anti corruption

You will comply with applicable export, sanctions, and anti corruption laws. You will not use the Service in prohibited jurisdictions or for prohibited end uses.

18. Governing law and venue

Wyoming law governs these Terms, without regard to conflict rules. The CISG does not apply.

19. Informal dispute resolution, arbitration, and class action waiver

  • Informal resolution period of 30 days after written notice of dispute.
  • Binding arbitration under the AAA Commercial Rules in Wyoming, in English, before a single arbitrator. Judgment may be entered on the award.
  • Claims are brought only on an individual basis. No class or representative actions.

20. Notices, assignment, force majeure, entire agreement, and order of precedence

  • Notices must be sent to the contacts in your account by email or certified mail.
  • Assignment requires consent, except to an affiliate or upon a change of control with assumption of obligations.
  • Neither party is liable for delays caused by events beyond reasonable control.
  • These Terms, including incorporated exhibits, are the entire agreement. Order of precedence: Order Form, these Terms, exhibits.

21. Definitions and interpretation

Key defined terms include Customer Data, Subprocessor, Confidential Information, Personal Data, Processing, and Service.

22. Incorporated exhibits

  • Data Processing Agreement
  • Security Schedule
  • Subprocessor Appendix
  • No Training Addendum
  • Data Retention Schedule

23. Change log and effective date

  • Effective date: October 1, 2025

Changes: added Wyoming governing law and AAA arbitration; tightened No Training Addendum to allow customer scoped tuning and admin review while blocking foundation model training; added narrow audit language tied to SOC 2 Type 1 reports only; clarified Railz authorization at onboarding and Doable as processor only; set 24 hour breach notice.

Section B: Privacy Policy

Executive summary

This policy explains what we collect, how we use it, how long we keep it, how we secure it, who we share it with, your rights, and how to contact us. We process financial and account data to deliver analytics and insights. We use Railz with your authorization at onboarding. Doable operates as our processor and does not receive a user authorized sync. We prohibit training of foundation or general purpose models on your data.

1. Overview and scope

Applies to our web app, APIs, sites, and support channels. Does not apply to third party sites we do not control. We are a controller for account data and a processor for some connected financial data.

2. Categories of personal data

  • Account and billing: name, email, company, address, payment details.
  • Financial: accounting, banking, payroll, tax data retrieved via Railz with your authorization.
  • Usage and device: logs, events, IP, device identifiers, diagnostics.
  • Support and communications: tickets, emails, feedback, attachments.

No intentional collection of children’s data. Under 13 not permitted. 13 to 17 with guardian consent only.

3. Sources and integrations

  • Directly from you.
  • From integrated services you authorize, including Railz.
  • From automated technologies like cookies and SDKs.

4. Purposes and legal bases, plus CPRA notice at collection

  • Provide and secure the Service, fulfill contracts, and support users.
  • Improve features, quality, and reliability using aggregated metrics and controlled admin review.
  • Comply with law and enforce the Terms.
  • Communications and limited marketing with opt out options.
    We do not sell or share personal information for cross context behavioral advertising.

5. Data minimization, accuracy, and retention

We collect the minimum necessary and keep it only as long as needed. Retention Schedule summary:

  • Account and billing: life of account plus 90 days.
  • Financial source data: 7 years from end of the fiscal year of collection.
  • App logs: 1 year.
  • AI interaction logs for quality and support: 30 days.
  • Backups: rolling 30 days.
    On request we will issue a deletion confirmation stating scope and timestamp of deletion.

6. Sharing and disclosure

We share with processors that help provide the Service, professional advisors under confidentiality, lawful requests, and in change of control events. We do not sell personal information.

7. No Training Addendum summary

We do not allow any vendor to use Personal Data or Customer Data to train or improve a foundation or general purpose model for other customers. We may review prompts and responses to improve answer quality. We may tune customer scoped components like prompts, retrieval indices, and private adapters that serve only that customer. We may use de identified, aggregated telemetry to improve reliability and safety.

8. Cross border transfers

For transfers from the EEA and UK we use SCCs and the UK addendum as applicable and apply supplementary measures such as encryption, access control, and segregation.

9. Security measures

AES 256 at rest, TLS 1.2 or higher in transit, access control, MFA for admins, logging, vulnerability management, backups and restores, and SOC 2 Type 1 for Security.

10. Incident response and breach notification

We will notify customers without undue delay and within 24 hours of becoming aware of a personal data breach, including the nature of the breach, likely consequences, and measures taken. Processors must notify us promptly.

11. Cookies, analytics, and preferences

We use cookies for session management, analytics, and fraud controls. Where required, we display a consent banner and honor preferences. A cookie list is available on request.

12. Data subject rights

Access, deletion, correction, portability, restriction, and objection where applicable. California residents may opt out of sale or sharing, which we do not perform. Submit requests to privacy@finsider.ai or through our DSAR form. We verify identity and respond within 30 days.

13. Children’s data

Not intended for children under 13. If we learn we collected such data, we will delete it.

14. Contact details

Controller: Finsider Inc., Cheyenne, Wyoming, United States
Email: privacy@finsider.ai
DPO: dpo@finsider.ai
EU representative: provided upon request

15. Policy updates and version history

We will post updates with a new effective date and keep prior versions for reference. Effective date: October 1, 2025.

Section C: Research Appendix and Compliance Crosswalk

Notes on alignment

  • References used as market baselines for structure and tone. Finsider’s policies go deeper to satisfy diligence for finance oriented customers.
  • We shortened audit rights to a reports based approach, consistent with many SaaS DPAs, while still allowing a narrow, law compelled document review.

Compliance crosswalk table

Source Requirement Where addressed Notes
GDPR Art 28 processors Documented instructions, confidentiality, security, assistance, delete or return, subprocessor authorization DPA secs 2, 3, 4, 6, Subprocessor Appendix Flow down to Doable and all subprocessors
GDPR Art 32 security Appropriate technical and organizational measures including encryption and testing Security Schedule and Privacy sec 9 AES 256, TLS 1.2+, access control, backups, testing
GDPR Art 33 breach Notify without undue delay, 72 hours baseline Privacy sec 10, ToS change log Finsider commits to 24 hours, stricter than baseline
GDPR Art 20 portability Provide machine readable copy and transmit where feasible ToS sec 4 and Privacy sec 12 Export upon request within 30 days
CPRA notice and rights Notice at collection, no sale or sharing, rights handling, retention disclosure Privacy secs 4, 5, 12, 11 DSAR process, retention schedule, no sale or sharing
SOC 2 Security TSC Security controls and evidence via SOC 2 Security Schedule, DPA audit clause SOC 2 Type 1 only, no other frameworks claimed

Harmonization and deviations

  • Set breach notice to 24 hours to meet finance client expectations.
  • Introduced a tuned No Training Addendum that allows admin review and customer scoped tuning while prohibiting foundation model training.
  • Replaced open ended audit rights with a reports based clause centered on SOC 2 Type 1 and pen test summaries, with a narrow, law compelled document review option.
  • Added explicit Railz onboarding authorization and clarified that Doable is a processor without user authorized sync.

Incorporated Exhibits

Data Processing Agreement – key terms

  1. Processing on instructions only. We and our processors process Customer Data only on documented instructions.
  2. Confidentiality. Personnel are bound by confidentiality obligations.
  3. Security. Technical and organizational measures are listed in the Security Schedule.
  4. Subprocessors. Prior authorization through the Subprocessor Appendix. 30 day advance notice of changes. Flow down of obligations.
  5. Assistance. We will assist with security, breach notifications, DPIA responses, and data subject requests as relevant to the Service.
  6. Deletion and return. On termination, delete or return Customer Data and provide deletion confirmation upon request.
  7. Transfers. Use SCCs or other valid mechanisms for cross border transfers.
  8. Audit and information rights – narrow form.
    • Compliance information: we will provide a current SOC 2 Type 1 report, penetration test executive summary, and core policies under NDA.
    • Third party reports satisfy audit. No on site inspection.
    • Exceptional reviews: only if legally required by a competent authority, limited to relevant controls, remote document review, business hours, 30 days notice, once per 12 months, excluding source code, trade secrets, unrelated systems, and other customers’ data.
    • No intrusive testing by Customer.
    • Cost allocation: each party bears its own costs. If we incur material costs to accommodate a law compelled review, Customer will reimburse reasonable out of pocket expenses.
    • Subprocessors: we will obtain comparable attestations and share summaries upon request.

Security Schedule

  • AES 256 encryption at rest, TLS 1.2 or higher in transit.
  • Access control and MFA for admins. Least privilege and quarterly access reviews.
  • Logging and monitoring for security events. Alerting on suspicious activity.
  • Vulnerability management with periodic scans and remediation tracking.
  • Backups with 30 day retention and periodic restore tests.
  • Change management and secure software development practices including code review.
  • Business continuity and disaster recovery plans with documented RTO and RPO targets.
  • Evidence available under NDA: SOC 2 Type 1 report for Security and pen test executive summary.

Subprocessor Appendix

  • Public list maintained at a URL or document provided on request. Includes hosting, email, analytics, support, and AI processors.
  • Change process: 30 days advance notice before adding or replacing a subprocessor. Subscription option for updates.
  • Objection process: Customer may object on reasonable privacy or security grounds. We will work to mitigate or propose alternatives. If unresolved, Customer may terminate the affected Service and receive a pro rated refund.

No Training Addendum – tuned

  1. No foundation model training. Neither Finsider nor any processor will use Customer Data to train, fine tune, or improve a foundation or general purpose model available to other customers.
  2. Admin review and answer refinement. Authorized staff may review prompts, outputs, and metadata to improve answer quality, safety, and relevance.
  3. Customer scoped tuning permitted. Tuning limited to the Customer’s environment, including prompt templates, retrieval indices, rules, safety filters, and private adapters or fine tunes that are not reused for other customers.
  4. De identified telemetry. We may use de identified, aggregated telemetry about usage, latency, and failure types to improve reliability and safety.
  5. Processor flow down and configuration controls. All processors must honor this Addendum. We will configure no train flags or equivalent. Processors that cannot honor this are not permitted.
  6. Deletion. Upon termination or request, processors must delete Customer Data and derived artifacts not required to provide the Service and provide deletion confirmation.

Data Retention Schedule

  • Account and billing data: life of account plus 90 days.
  • Financial data retrieved via Railz: 7 years from end of fiscal year of collection.
  • Application logs: 1 year.
  • AI interaction logs: 30 days.
  • Backups: rolling 30 days.
  • Deletion certificates available upon request.

Section D: Redlines needed and open questions

  • Liability cap multiplier. Current draft uses 1x fees in the prior 12 months. Do you prefer 2x for extra customer friendly posture or keep 1x.
  • Service credits. If you want formal SLA credits for uptime shortfalls, specify thresholds and credit percentages.
  • EU representative. Provide the vendor details if you want them embedded rather than shared on request.