Legal
Last Updated: January 2, 2026
The Corelytics financial platform handles sensitive financial data for multiple companies. We have implemented enterprise-grade security that meets or exceeds industry standards. Your data is protected by the same security standards used by banks and financial institutions.
Your Sensitive Data
Your Privacy
Only authorized users from your company can access your data. Every user must log in with verified credentials, and each user can only see their own company's data. Even if someone knows your company ID, they cannot access your data without authentication. Our support team requires your explicit approval before accessing any account.
Site Administrators
Consultants
Company Users
MFA requires two steps to access your account: your password, and a unique 6-digit verification code from your smartphone that changes every 30 seconds. Even if someone obtains your password, they cannot access your account without your physical device.
What MFA Safeguards
Trusted Devices
On initial login, you may choose to trust your device for 180 days, skipping MFA on that device during that period. You can maintain up to 5 trusted devices, revoke any device at any time from your settings, and will receive an email notification whenever a new device is added.
Backup Access Codes
During MFA setup, you will receive 10 single-use backup codes. Store them securely — in a password manager or a safe place. If you lose access to your authenticator app, use a backup code to log in and contact our support team to reset MFA. Your data remains protected throughout the recovery process.
All data is encrypted at every layer. Even if someone gains unauthorized database access, they see encrypted data — not your financial information.
| Threat | Our Protection |
|---|---|
| Unauthorized Access | Multi-factor authentication, JWT tokens |
| Brute Force Attacks | Rate limiting (5 attempts, then lockout) |
| Data Theft | Encryption in transit and at rest |
| SQL Injection | Input validation, parameterized queries |
| Cross-Site Scripting | Content Security Policy, input sanitization |
| DDoS Attacks | Rate limiting, CDN protection |
| Session Hijacking | Session fingerprinting, expiration |
We limit the number of requests that can be made to prevent abuse and automated attacks.
| Action | Limit | Purpose |
|---|---|---|
| Login attempts | 5 per 15 min | Prevent password guessing |
| Password resets | 3 per hour | Prevent email spam |
| API calls | 100 per minute | Prevent abuse |
Every action in the system is logged with a complete record for forensic investigation, compliance audits, and detection of suspicious activity.
OWASP Top 10
Security best practices
SOC 2 Type II
Enterprise security audit
GDPR
European data protection
HIPAA
Healthcare data protection
Overall: A (95/100)
| Category | Score |
|---|---|
| Authentication | 100/100 |
| Authorization | 100/100 |
| Data Encryption | 95/100 |
| Audit Logging | 100/100 |
| Input Validation | 95/100 |
| Infrastructure | 90/100 |
Can employees see my data?
Only with your explicit permission. All access is logged.
What if there's a data breach?
We have an incident response plan. You'll be notified within 24 hours. All data is encrypted, minimizing exposure.
How do you prevent other companies from seeing my data?
Every request validates that the user owns the data they're requesting. Other companies' data is completely invisible.
What happens if I forget my password?
Secure password reset via email. The reset token expires in 15 minutes and the process is rate limited to prevent abuse.
Can you see my passwords?
No. Passwords are one-way hashed. Even we cannot decrypt them.
What if someone steals my session token?
Session fingerprinting detects usage from different devices. Tokens expire after 8 hours.
How do I know my data is not being accessed inappropriately?
Check your company's audit log. Every access is recorded with a timestamp, user, and IP address.
For security inquiries or to report a vulnerability, contact us at support@corelytics.com.