Responsible Disclosure Policy

Finiti Legal Technologies Inc.

Last updated: May 19, 2026 · Version 1.0

Our commitment

The security of our customers — and the confidentiality of the matters they entrust to our platform — is fundamental to Finiti. We welcome reports from the security research community, our customers, and the public about vulnerabilities in our services. This policy explains how to report a vulnerability, what you can expect from us, and the protections we extend to researchers acting in good faith.

Scope

This policy applies to vulnerabilities discovered in:

• The Finiti web application and customer-facing APIs hosted at *.finiti.legal

• The Finiti deployment templates and infrastructure-as-code published by Finiti

• The finiti.legal marketing and documentation sites

• Mobile or desktop clients distributed by Finiti, if and when released

Out of scope

The following are not in scope and should not be tested:

• Customer-tenant deployments hosted in a customer's own cloud subscription — these belong to the customer; report any concern about a customer environment to that customer directly, not to Finiti

• Third-party services Finiti integrates with (e.g. Microsoft Azure, identity providers, sub-processors)

• Findings that require physical access to Finiti staff, offices, or facilities

• Findings derived from social engineering of Finiti employees, contractors, or customers

• Denial-of-service, volumetric, brute-force, or resource-exhaustion attacks

• Reports of missing security headers, SPF/DKIM/DMARC, TLS configuration, or other best-practice issues without a demonstrable security impact

• Findings already known to Finiti or publicly disclosed

• Issues in software end-of-lifed by the upstream vendor

Rules of engagement

When testing in-scope assets, you must:

• Only interact with accounts you own or have explicit permission to access

• Stop testing immediately and notify us if you encounter customer data, personally identifiable information, or privileged legal content

• Not modify, exfiltrate, retain, or destroy data that does not belong to you

• Not perform any action that could degrade, disrupt, or interrupt the service for other users

• Use the lowest-privileged proof-of-concept necessary to demonstrate the vulnerability

• Keep details of the vulnerability confidential until Finiti has confirmed remediation, or until the coordinated-disclosure window has elapsed

How to report

Send vulnerability reports to security@finiti.legal If you need to send sensitive material encrypted, contact us first and we will arrange a secure channel.

A useful report includes:

• A clear description of the vulnerability and its potential impact

• The affected URL, endpoint, parameter, or component

• Step-by-step reproduction instructions, including any payloads

• Screenshots, request/response captures, or proof-of-concept code where helpful

• Your name and how you would like to be credited (optional)

If you believe a report contains information that should be treated as confidential under attorney-client privilege or another legal protection, please flag that in your initial message.

What you can expect from us

Acknowledgement of your report - Within 1 business day

Initial triage and severity assessment - Within 5 business days

Status updates on remediation - At least every 14 days until resolved

Coordinated disclosure window (default) - 90 days from triage, adjustable by mutual agreement

We will:

• Validate the report and confirm severity using CVSS v3.1 plus context (asset criticality, customer exposure, exploitability)

• Keep you informed of meaningful progress

• Notify you when the vulnerability has been remediated

• Coordinate any public disclosure timing with you

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, Finiti will:

• Consider your research to be authorised under the U.S. Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and equivalent laws in other jurisdictions

• Not pursue or support legal action against you for accidental, good-faith violations of this policy

• Work with you to understand and resolve the issue quickly

• If a third party initiates legal action against you for research conducted in accordance with this policy, make this authorisation known and take reasonable steps to assist

This safe harbor does not apply to activities outside the scope of this policy or that violate applicable law.

Public recognition

With your permission, we are happy to credit researchers whose reports lead to a confirmed fix, with their permission, in our release notes or security communications. We do not currently offer monetary rewards.

Coordinated disclosure

Finiti follows coordinated disclosure principles. We ask that researchers refrain from public disclosure until either:

• A remediation has been deployed, or

• The 90-day coordinated-disclosure window has elapsed, or

• Finiti and the researcher have agreed to a different timeline

If a vulnerability presents an active and material risk to customers, we may shorten this window and coordinate notification with affected customers.

Customer reports

Finiti customers who suspect a security issue in their deployed environment should:

• Contact their named Customer Success contact at Finiti

• In parallel, raise a ticket via the customer support portal

• For incidents involving suspected unauthorized access to customer data, Finiti will follow the contractual incident-notification timelines in the Master Subscription Agreement

This responsible-disclosure inbox is intended for vulnerability reports, not for live incident response.

Updates to this policy

We will update this policy as our service evolves. The version and effective date appear at the top of this page.

Contact

Email: security@finiti.legal

Machine-readable: https://finiti.legal/.well-known/security.txt (RFC 9116)

FAQs

Frequently Asked Questions

What is Finiti Legal?

How do you protect sensitive client data?

Finiti AI operates entirely within a dedicated Azure subscription configured for SOC 2 Type II compliance and following a strict multi-tenant SaaS isolation model. Every firm’s documents are uploaded to an AES-256–encrypted Azure Blob container created just for that tenant, while embeddings and workflow records are saved in Cosmos DB containers partitioned by tenant, ensuring queries and access stay tenant-scoped. All data remains in the Azure region you choose, traveling over TLS 1.3 between the browser, front-end, orchestrator, and agents, and never crossing regional boundaries. Role-based access control is enforced through your own single-sign-on provider using Azure Entra B2B, and service principals are locked down with least-privilege roles. Calls to Azure OpenAI are issued with “no-train” and ephemeral-log settings, so nothing you share is used to tune or retrain the underlying models. In short, Finiti AI keeps each client’s data segregated, encrypted, and under your control throughout its lifecycle.  *SOC 2 certification is pending completion of the required observation window.

Does Finiti support Single Sign-On (SSO) and Multi-Factor Authentication (MFA)?

Yes—Finiti supports both SSO and MFA for secure enterprise access.

Can I have a trial before full deployment?

Yes, we offer a secure pilot program where you can test Finiti with a subset of your documents. You can start with a single practice group or matter to evaluate the platform's capabilities with your actual securities work.

What makes Finiti different from other legal AI tools?

Finiti is focused on capital markets execution, not just document drafting. It connects drafting, verification, collaboration, and filing in one flow, with legal-grade precision and security.

Can I just do this manually or with ChatGPT?

Not at this speed, ease of use and level of accuracy. Finiti understands filing formatting, workflows, and disclosure requirements—so you don’t waste time prompting or cleaning up generic AI output.

Does Finiti support global jurisdictions?

Please reach out to our team on your jurisdiction.

How does Finiti Legal work?

Finiti uses domain-specific legal AI models trained on real transaction data. It compares drafts to market precedent, auto-generates content like director bios, item 1.01 disclosure or risk factors, and keeps information synced across documents.

How does Finiti get my company’s information? Do I have to input everything?

Finiti pulls from structured deal data and prior filings. You can upload, paste, or prompt the AI with your instruction—once entered, our AI tools find the relevant deal context through a proprietary technology to ensure your filing is accurate, but free of hallucination.

Will you complete my CISO’s security questionnaire?

Yes—we’re happy to complete your firm’s security review process.

What LLM does Finiti use? Do they retain my data?

Finiti uses a combination of commercial and proprietary models fine-tuned for legal transactions. We layer legal-specific context on top of base LLMs to ensure accuracy and relevance. None of these providers can access, train on, or retain your data.

Can non-lawyers in my team use Finiti?

Yes—analysts, paralegals, and other team members can use Finiti to streamline workflows, populate data, or help coordinate filings.

Can I buy Finiti for my whole team?

Absolutely. We offer team plans with admin controls, user permissions, and centralized data management.

Have Questions? We're Here to Help!

Reach out to our support team for any queries or assistance.

Regulatory compliance layer for public companies and registered funds.

Built for lean teams.