Fiskl AI official logo
Start for free
Sign in
Start for free

Fiskl Trust Center

The Fiskl Trust Center sets out Fiskl’s security, availability, insurance, and compliance posture in one place. It is designed for use by:

  • enterprise customers and their procurement, security, and risk teams;
  • accountancy firms and partners conducting third-party risk assessments;
  • banks, payment processors, and other commercial partners;
  • regulators and auditors with a legitimate basis for review.

Fiskl publishes this Trust Center to provide transparency about how we protect Customer Data and how we operate the Fiskl Platforms. This document is incorporated by reference into the Customer Terms of Service and is updated as our programme evolves.

For requests not addressed below, contact trust@fiskl.com. For data protection matters, contact dpo@fiskl.com.

1. Information security programme

Fiskl operates an Information Security Management System (ISMS) aligned with industry-standard frameworks. The ISMS covers:

  • governance, roles, and responsibilities;
  • risk assessment and risk register management;
  • access control, identity, and authentication;
  • data protection and privacy;
  • secure development lifecycle;
  • vendor and Sub-processor management;
  • incident detection and response;
  • business continuity and disaster recovery;
  • physical and environmental security (for cloud-based infrastructure, supplied by AWS and Google Cloud);
  • personnel security, training, and awareness;
  • compliance and audit.

The ISMS is reviewed by Fiskl management and updated as the business and threat landscape evolve.

2. Certifications and attestations

Fiskl is committed to obtaining and maintaining third-party attestations appropriate to its customer base:

Attestation Status
SOC 2 Type II Targeted by end of Q4 2026. Engagement scoped against an enterprise-grade auditor in 2026
ISO 27001 Roadmap; pursued in parallel with SOC 2 Type II
GDPR / UK GDPR compliance programme In place; documented in the Privacy Policy and DPA
PCI DSS Not applicable — Fiskl does not handle cardholder data directly; payment-card data is handled by Stripe (PCI DSS Level 1 certified) and other payment processors

Where a customer’s procurement process requires SOC 2 Type II or ISO 27001 attestation as a condition of engagement, Fiskl engages with the customer on the timeline and scope.

3. Technical and organisational measures

The technical and organisational measures supporting the Fiskl Platforms are set out in detail in Annex II of the Data Processing Addendum (DPA) at https://fiskl.com/legal/data-processing-addendum/. Highlights:

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest
  • Multi-region cloud infrastructure on AWS and Google Cloud
  • Logical separation of customer environments
  • Role-based access control with least-privilege defaults
  • AWS Cognito for the Atlas accountant portal authentication layer (with multi-factor authentication options)
  • Self-hosted authentication for non-Atlas customers
  • Cloudflare for DDoS protection, web application firewall, and bot protection
  • Vulnerability scanning, penetration testing, and secure software development lifecycle
  • Background checks and confidentiality obligations for personnel
  • Documented incident response plan
  • AI Provider contractual obligations prohibiting training on Customer Data and limiting data retention

4. Service availability

4.1 Target availability

Fiskl targets 99.9% monthly availability for the production Service, measured at the application layer and excluding scheduled maintenance windows and force majeure events.

4.2 Scheduled maintenance

Scheduled maintenance is performed during low-usage windows. Customers are notified in advance for any maintenance expected to materially affect the Fiskl Platforms.

4.3 Historical availability

Recent availability metrics are published at https://status.fiskl.com (when available) or are provided on request to enterprise customers.

4.4 Service Level Agreement (SLA)

A contractually-binding SLA with credits, covering availability, response times for severity-graded incidents, and support obligations, is available for qualifying Subscription tiers under an Order Form.

5. Insurance

Fiskl maintains a comprehensive insurance programme placed through a UK FCA-regulated coverholder, CFC Underwriting Limited, a recognised Lloyd’s-of-London coverholder for technology insurance, with cover written by Lloyd’s syndicates and other regulated insurers including Zurich Insurance, Markel International Insurance, HDI Global Speciality SE, and Everest Insurance, on the CFC Technology (GB) policy wording.

The programme provides worldwide territorial scope (including the United States) and includes the following cover types:

  • Professional Liability (Errors and Omissions) — covering negligent acts, errors and omissions; breach of contract; sub-contractor vicarious liability; intellectual property infringement and defamation; regulatory costs and fines; dishonesty of employees; and payment of withheld fees;
  • Network Security and Privacy Liability — covering network security liability; privacy liability; management liability arising from cyber events; regulatory investigation costs; and PCI fines, penalties, and assessments;
  • Cyber Incident Response — including 24/7 incident-response hotline access to CFC Response (the panel breach-response provider), with cover for incident response costs, legal and regulatory costs, IT security and forensic costs, crisis communication costs, and privacy breach management costs (first-party and third-party);
  • System Damage and Business Interruption — for cyber-event-driven business interruption, including direct loss of profits, increased cost of working, dependent business interruption, consequential reputational harm, and hardware replacement;
  • Public and Products Liability;
  • Personal and Advertising Injury;
  • Pollution Liability;
  • Employee Crime (internal and external theft);
  • Cyber Extortion;
  • Loss Mitigation;
  • Reputation and Brand Protection;
  • Employers’ Liability (UK statutory);
  • Directors and Officers / Management Liability (placed through a separate Management Liability package).

The programme operates on a claims-made basis (standard for professional and cyber cover) with retroactive cover dating back several years. Cover is reviewed at each annual renewal with the broker.

Specific cover limits, deductibles, named insurers, retroactive dates, and policy wording are not published but are available to qualifying customers in a Certificate of Insurance under non-disclosure terms. Requests should be sent to trust@fiskl.com.

Cyber incident response hotline: in the event of a customer-affecting cyber incident, Fiskl operates a documented incident response process aligned with section 9 of the DPA. CFC Response is engaged as the panel provider for breach-response services.

6. Sub-processor management

Fiskl engages Sub-processors only where necessary to deliver the Fiskl Platforms. Each Sub-processor is contractually bound by data protection obligations no less protective than those Fiskl owes to the Customer.

The current list of Sub-processors is at https://fiskl.com/legal/fiskl-subprocessors/. The list is updated when Sub-processors are added, removed, or replaced. Customers may subscribe to Sub-processor change notifications by emailing dpo@fiskl.com.

7. Incident response and breach notification

Fiskl maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Where a Personal Data Breach occurs:

  • Fiskl notifies affected Customers without undue delay and, where reasonably practicable, within 48 hours of becoming aware (as set out in section 9 of the DPA);
  • the notification includes the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and remediation measures;
  • Fiskl cooperates with the Customer to support the Customer’s own breach-notification obligations to supervisory authorities and data subjects.

8. Business continuity and disaster recovery

Fiskl operates business continuity and disaster recovery arrangements covering: – multi-region cloud infrastructure with failover capability – regular backups, encrypted at rest, with tested restoration procedures – documented BCP and DR plans, periodically reviewed and updated – recovery time objectives (RTO) and recovery point objectives (RPO) appropriate to the criticality of the Fiskl Platforms

Specific RTO/RPO targets are available to qualifying customers under non-disclosure.

9. Personnel security

Fiskl personnel: – are subject to background checks where lawful in the relevant jurisdiction – enter into confidentiality and data protection commitments – complete mandatory information security and privacy training, refreshed annually – are subject to defined onboarding and offboarding procedures, including timely revocation of access on departure – are granted access on a least-privilege, need-to-know basis with regular review

10. Banking and payment partner due diligence

Fiskl integrates with regulated banking aggregators (Yodlee, Salt Edge, WIO Bank) and payment processors (Stripe, GoCardless, PayPal). Each partner is independently regulated and subject to its own security and compliance obligations:

  • Yodlee — SOC 1, SOC 2, ISO 27001, ISO 27018 (Envestnet | Yodlee programme)
  • Salt Edge — ISO 27001 certified; PSD2-licensed AISP
  • Stripe — PCI DSS Level 1 Service Provider; SOC 1, SOC 2 Type II
  • WIO Bank — UAE Central Bank-licensed digital bank with applicable banking regulator security obligations
  • GoCardless — FCA-authorised; ISO 27001
  • PayPal — PCI DSS Level 1 Service Provider

Fiskl conducts due diligence on partners before engagement and reviews periodically.

11. AI Provider obligations

Fiskl uses AI Providers (Anthropic, Google Gemini/Vertex AI, AWS Bedrock) for inference and Fiskl-Exclusive Model fine-tuning. Each AI Provider is contractually:

  • prohibited from using Customer Data to train its own general-purpose models;
  • prohibited from retaining Customer Data beyond the period necessary to deliver the contracted service;
  • prohibited from disclosing Customer Data to any further third party except as required by law.

Fiskl also operates proprietary self-built AI models trained on its own infrastructure. See section 8 of the Customer Terms of Service and the Subprocessors page for full detail.

Fiskl operates in compliance with: – UK GDPR and the Data Protection Act 2018 – EU GDPR – US state privacy laws (CCPA/CPRA and equivalents) – LGPD (Brazil), PIPEDA (Canada), POPIA (South Africa), PDPA (Singapore), UAE PDPL, India DPDP Act, and other applicable data protection laws (see Privacy Policy section 17) – UK Bribery Act 2010 and equivalent anti-bribery laws – UK and EU sanctions regimes; US OFAC sanctions where applicable – UK Modern Slavery Act 2015 (statement available on request) – applicable anti-money-laundering and counter-terrorist-financing laws as relevant to Fiskl’s role as a SaaS provider (Fiskl is not a regulated financial institution)

13. Independent assurance

Fiskl supports customer-led assurance activities including: – security questionnaires (SIG, CAIQ, custom enterprise questionnaires) – vendor risk assessments – audit rights as set out in section 8 of the DPA – access to third-party attestation reports under NDA where available

14. Contact

Topic Email
Trust Center, security questionnaires, certificates of insurance trust@fiskl.com
Data protection and DPO matters dpo@fiskl.com
Privacy questions privacy@fiskl.com
Legal notices legal@fiskl.com
General support support@fiskl.com

Fiskl Limited 6A Thirlmere Road London, N10 2DN United Kingdom Company number: 09330290

This Trust Center is published as part of Fiskl’s v2026 legal stack refresh and is updated as the security, certification, and operational programme evolves.

Effective: 15 March 2026

Quick Navigation

Terms & Policies