<img alt="" src="https://secure.visionary-business-52.com/266244.png" style="display:none;">

The security of your personal data is central to everything we do at Figured.

We have put in place appropriate technical and operational measures to ensure the confidentiality, availability and integrity of your personal data at all times. Below is an overview of our approach to security at Figured. We're constantly improving our services and processes to protect your data and will update this page accordingly.


Security Compliance

Figured is currently both SOC 2 Type II, and SOC 3 compliant as of October 31, 2021.
Figured was assessed by A-LIGN and has achieved compliance with the following trust principals - Security, Availability and Confidentiality. Learn more.

If you would like a copy of our SOC 2 Type 2 or SOC 3 report, please drop us an email at privacy@figured.com.

phone-laptop copy

App Security

Software Development Lifecycle (SDLC)

Figured maintains documented SDLC policies and procedures to guide employees in documenting and implementing application and infrastructure changes. This includes secure development training, vulnerability scanning, code reviews as well as automated and manual testing.

Web Application and Network Firewalls

Web application and network firewalls are in place to protect the Figured application from attacks that may compromise the availability of the service. Figured also has multiple monitoring systems and alerts in place to detect and manage threats.

Two-factor Authentication

Two-factor authentication is required for all users in Figured. Learn more about setting it up here. For staff access to the Figured application and its supporting infrastructure, two-factor authentication is enforced.

lock-alt copy

Data Security

Hosting Provider

Figured uses Amazon Web Services (AWS) for cloud hosting. AWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built-in. AWS maintains SOC 2 and ISO 27001 certifications, among others. Learn more.

The Figured application and its data are hosted by AWS within the United States of America. For more information on international transfers see our Privacy Notice.


Figured has implemented an encryption policy that conforms to international encryption standards such as Transport Layer Security (TLS) and Advanced Encryption Standard (AES). Encryption keys and certificates are centrally managed and protected via secure management systems.

Data is encrypted both in transit and at rest. Customer passwords are hashed and salted; the salting applied is unique and random.


Figured complies with the data compliance requirements in locations where we operate. These include the New Zealand and Australian Privacy Acts as well as the General Data Protection Regulation (GDPR).  See our Privacy Notice for the full registry.

To learn more about Figured's approach to GDPR see our Help Centre.

house-flood copy

Operational security

Access Controls

Figured follows a role-based access control (RBAC) system and follows the principle of least privilege when granting employees access to systems. User access to systems is reviewed on a quarterly basis.

Business Continuity and Disaster Recovery

Figured has documented business continuity (BCP) and disaster recovery (DRP) plans which document defined procedures for managing and recover from significant events that could affect our ability to provide the service. These plans are tested and reviewed annually.

Incident Response Policy

An Incident management policy and process are in place to guide employees in reporting and responding to information technology incidents. Processes exist to identify, report and act upon system security and data breaches as well as other serious incidents.

file-search copy

Maintaining Security

Responsible Disclosure Policy

Figured supports the responsible disclosure of security vulnerabilities, as it is one of our top priorities to protect the privacy of our customer's data.

We ask that if external parties find any sensitive information, potential vulnerabilities and/or weaknesses that they please help by disclosing it to us in a responsible manner. Learn more.

Penetration Testing

Figured leverages 3rd party penetration testing firms to test our application annually. Our penetration testing provider is CREST certified.

Internal and External Audits

Figured carries out internal security checks on a quarterly basis. These checks include backup restoration tests, user access/endpoint protection reviews, password/key rotation, vulnerability scanning and security patching.

In order to maintain our SOC 2 compliance, we also undergo yearly external audits.

Useful Links

Terms of Use To view our full terms of use
Contact Us To start a conversation with the Figured Information Security Team, or to contact us for any other reason, please use the Chat bubble or email us at privacy@figured.com.


Privacy Notice For more information on how we process your personal data


Get in touch with Figured to get started

Get in touch