FinancialForce applications were designed from the ground up using core information security principles:

  • Confidentiality. Prevent the disclosure of information to unauthorized individuals or systems.
  • Integrity. Maintain and assure the accuracy and consistency of data over its entire lifecycle.
  • Availability. Ensure the information is available when needed.

FinancialForce is committed to achieving and maintaining these principles and the trust of our customers. Integral to this is providing a robust information security and privacy program that carefully considers security and data protection across our services, including data submitted by customers to our services (“customer data”). Over 1000 customers in 34 countries trust FinancialForce applications. Our customers are in a wide range of verticals, some with stringent security requirements, including financial services, healthcare, technology, energy and government.

Security at FinancialForce

FinancialForce has a dedicated Information Security function led by our Chief Information Security Officer and driven by a risk-based information security strategy. Our security policy and standards, controls and verification efforts are designed to protect customer information assets against a range of rapidly evolving threats. Our Information Security Program includes identifying, mitigating and reporting on information and cyber security risks, and complying with security and privacy regulations and commitments.

Our Shared Security Profile

We use Whistic, a leading vendor risk management platform, to communicate and share our  overall security profile which contains relevant audit reports, assessment reports, insurance, policies, and industry-standard questionnaires such as the CSA CAIQ & VSA.  Customers without an NDA can request access to our limited Shared Security Profile here.  Customers with an NDA who wish to access our full profile which includes the documentation mentioned above can get in touch with your FinancialForce Account Executive.

Attack Surface Management

FinancialForce uses state-of-the-art security technology to protect our digital landscape, including input from industry leading vendors and custom-built Attack Surface Management solutions designed to harden and reduce our attack surface.

Cloud Security Alliance

As part of our commitment to Trust, FinancialForce has made available to the public a detailed description of our cloud security controls under the Cloud Security Alliance (CSA) STAR Level 1 - Self-Assessment program. This self-assessment uses the CSA Consensus Assessments Initiative Questionnaire to answer nearly 300 standardized questions that provide transparency into cloud vendor security practices and controls supporting their cloud service delivery and applications.


FinancialForce Applications

Service Organization Controls (SOC) Reports

aicpa soiAs part of our commitment to Trust, FinancialForce maintains the American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC 1 Type II, SOC 2 Type II and SOC 3) attestations. The SOC 1 Report helps to provide FinancialForce customers with the assurance that our applications are developed and delivered in accordance with transparent standards designed for quality and security. The SOC 2 Report gives assurance over controls around security, availability, and confidentiality of customer data. The SOC 3 Report report outlines information related to a service organization's internal controls for security and confidentiality, as principles in-scope for FinancialForce.

The SOC Reports provide our customers assurance that the FinancialForce Description of Services is fairly presented in all material respects, that controls put in place by FinancialForce are suitably designed to meet their control objectives, and that those controls were tested and operated effectively during the audit period.

To download a copy of the FinancialForce SOC 3 Report, click here.

If you would like to request a copy of our SOC 1 Type II or SOC 2 Type II Reports, please get in touch with your FinancialForce Account Executive.


The safety, security and availability of our customers' data is a top priority of FinancialForce. As part of this commitment, FinancialForce supports compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) by our customers that are covered entities or business associates under HIPAA.

FinancialForce complies with the requirements of the HIPAA Security Rule that apply to FinancialForce in its capacity as a business associate. In addition, FinancialForce applications provide configurable security features that can help our customers address their security and compliance requirements under HIPAA.

FinancialForce customers that are subject to HIPAA and wish to use our applications for electronic Protected Health Information (ePHI) must first sign a FinancialForce business associate addendum.

Please review our FinancialForce and the HIPAA Security Rule whitepaper for an overview of FinancialForce application features and controls relevant to the HIPAA Security Rule and how our customers can leverage those controls to meet HIPAA compliance requirements.

Additional Security Resources

FinancialForce Privacy and Data Protection
FinancialForce Security Whitepaper

If you have a security or privacy related question, comments or concerns please contact us.