Trust
Trust Center
Finn runs regulated voice conversations at scale. Our information security, service management, and quality systems are independently certified and open to verification — the certificate numbers below can be checked directly with the issuing body.
Issued by UKBIZ Certification Inc, EUAS-accredited — all three certificates valid through 18 May 2028 and verifiable with the issuing body.
Independently audited
Certifications
Verify with issuerISO/IEC 27001:2022
Information Security Management
- Certificate
- UKBIZ/25D/ISMS/0062
- Issued
- 19 May 2025
- Valid through
- 18 May 2028
ISO/IEC 20000-1:2018
IT Service Management
- Certificate
- UKBIZ/25G/ITMS/0061
- Issued
- 19 May 2025
- Valid through
- 18 May 2028
ISO 9001:2015
Quality Management
- Certificate
- UKBIZ/25K/QMS/0060
- Issued
- 19 May 2025
- Valid through
- 18 May 2028
SOC 2 Type II
Audit in progressOur observation window is underway with A-LIGN, an independent audit firm, with the report expected August 2026. We are not SOC 2 attested today and the report is not yet available for distribution — when A-LIGN completes the audit we will publish it here alongside the certificates above.
HIPAA Business Associate Agreement
For enterprise customers processing PHI. Executed per engagement.
Request via emailStandard Contractual Clauses
Executed copy with completed annexes for EU, UK, and Swiss transfers.
Request via emailISO 27001 Statement of Applicability
Annex A control detail, shared under NDA.
Request via emailCertified scope. Real-time AI voice agents that handle outbound and inbound calls, automating conversations, bookings, and support with natural, human-like speech and system integrations.
Issued by UKBIZ Certification Inc, accredited by EUAS — Euro Universal Accreditation Systems. Certificates are subject to annual surveillance audits.
Security & data protection
Compliance is the floor, not the ceiling.
Voice is regulated. Healthcare, finance, insurance, legal — Finn was built to run there from day one.
A certified information security management system
Rather than ask you to take our word for it, we point at the audit. Our ISMS is certified to ISO/IEC 27001:2022 for the scope above — the standard whose Annex A controls cover access control, cryptography, operations security, logging and monitoring, supplier relationships, and incident management. Certification was assessed by an independent, EUAS-accredited body and is maintained through annual surveillance audits.
Customers under NDA can request our Statement of Applicability and control detail through their account team.
Data residency
Your workspace's storage region is assigned at provisioning, and call recordings and transcripts come to rest there. Regional separation falls within the scope of our ISO/IEC 27001 certification.
For the region assigned to your workspace, or a written residency attestation for a vendor review, contact [email protected].
Model inference and speech services run on additional providers — see Subprocessors for the full list and the region each operates in.
Encryption in transit and at rest
AES-256 at rest, TLS 1.3 in transit. Recordings, transcripts, PII — all encrypted by default.
Audit trails
Every API call, every config change, every data access — logged, immutable, exportable.
PII redaction
Auto-redact card numbers, SSNs, account IDs from transcripts. Custom regex for industry-specific patterns.
Role-based access
Granular permissions per user, per workspace. SSO via SAML or OIDC. SCIM provisioning for enterprise.
Beyond the certifications
Regulatory posture
The platform is built and operated around the regimes below. These are obligations we design for — distinct from the independently audited certifications above.
GDPR / ePrivacy
European Union & EEA
DPDP Act 2023
India
HIPAA
United States — BAAs available for PHI workloads
TRAI & RBI
India — telecom and financial communication
TCPA / FTC TSR
United States — telemarketing
Responsibility for consent, call intent, and audience sourcing sits with the customer. Our Consent & Legal Guidance sets out what that means in each region.
Reliability
System status
All systems operational
Monitored externally since 18 Jul 2026 · updated live
100%
Uptime · since monitoring began
Policies & agreements
Documentation
Privacy Policy
What we collect, why, and how it's used.
Data Processing Addendum
Our contractual data-protection commitments.
Subprocessors
Every third party that processes data on our behalf.
Data-flow map
How call and audience data moves through our subprocessors.
Security & trust
Encryption, access control, residency, and audit posture.
AI data use & retention
No training on your data, zero-retention model APIs, and deletion timelines.
Vulnerability Disclosure Policy
How to report a security issue — scope, safe harbor, and our response.
Consent & Legal Guidance
Regulatory obligations and consent requirements for voice campaigns.
Terms of Service
The agreement governing use of Finn.
Refund & Cancellation Policy
Eligibility, request process, and timelines.
System status
Live uptime and incident history.
Get in touch
Security contact
Report a security concern
If you believe you've found a vulnerability, email [email protected] with steps to reproduce, affected endpoints, and any supporting detail. We investigate every report and respond directly. Please give us a reasonable window to remediate before any public disclosure.
Security review or vendor onboarding
For security questionnaires, DPAs, company registration details, or documentation not published here, contact [email protected].
AIforge Tech Private Limited · CIN U62099RJ2025PTC099494 · Jaipur, Rajasthan, India
Get started
Hire Finn and scale with confidence.
Move from idea to live voice automation — securely, reliably, and without operational risk.
Fort-nightly Launches
We move quickly and get you what you need
Powerful Tools
Pre-built dashboards, reports, automations, more