Receive only necessary data
We first check whether names, addresses, contact details, free text, and full datasets can be removed. Small anonymized samples are preferred before bulk data.
Security & Data Handling
We define which data is handled, for what purpose, by whom, in which environment, and for how long. From mathematical prototypes to production operations, boundaries and responsibilities are agreed first and kept as reviewable evidence.
Our position
Security is not determined by a product name or a single feature. We design around data type, purpose, organization, operations, and subprocessors, then keep the implemented scope reviewable.
We first check whether names, addresses, contact details, free text, and full datasets can be removed. Small anonymized samples are preferred before bulk data.
Storage location, viewers, external services, AI use, retention, and deletion are agreed before data receipt or production transition.
Data flows, access rights, subprocessors, backup, deletion, and incident contacts are kept as artifacts that can be checked.
Data journey
The same data requires different controls for diagnosis, prototypes, and production operations. We separate what is received, what must be decided, and what evidence remains.
INTAKE
PROTOTYPE
DEVELOPMENT
OPERATION
DELETION
Security profile builder
This is a design aid for the first meeting, not an audit or guarantee. No contact details are required.
Step 01 / Data class
The draft is based on the category that needs the most careful handling. Multiple selections are allowed.
Step 02 / Delivery phase
Short validation and production operation require different controls even for the same data.
Step 03 / External processing
Cloud, mail, maps, analytics, and notification services are reviewed with the same data-flow thinking.
Step 04 / Operational needs
Multiple selections are allowed. Even uncertain items are included as meeting topics.
Design draft / not an audit
Start with minimum data, short retention, and a separated validation environment.
This is a preliminary design draft from the selected inputs. Final controls are decided after legal duties, contract terms, threats, cloud architecture, and operations are confirmed.
Control model
We reference the six NIST Cybersecurity Framework 2.0 functions as project review viewpoints. This is not a certification or full compliance claim.
Clarify owners, policy, contracts, subprocessors, and acceptable risk.
Example: responsibility table, service listUnderstand assets, data, dependencies, threats, and impact.
Example: data flow, asset registerDesign authentication, least privilege, encryption, secrets, and secure implementation.
Example: permission matrix, implementation checkDefine required logs, monitoring, alerts, and anomaly criteria.
Example: monitoring items, log retentionPrepare triage, containment, investigation, communication, and prevention.
Example: contact tree, first-response procedureDesign backup integrity, recovery order, business restart, and follow-up review.
Example: recovery runbook, test recordApplication security
We use OWASP ASVS 5.0 as a reference for security requirements and verification items. Review, automated checks, manual checks, and external testing are combined according to importance and budget.
Prototype vs production
This comparison shows design criteria to finalize per project, not fixed guarantees.
| Review item | P0 mathematical prototype | P1 production system |
|---|---|---|
| Purpose | Validate feasibility and metrics | Continuous business processing |
| Data volume | Prefer small, anonymized, necessary fields | Formally define required operational scope |
| Environment | Separate a short-term validation environment | Consider development, test, and production separation |
| Access | Limit to assigned people | Role permissions, authentication, reviews |
| External AI | Start from a design that does not send unnecessary data | Agree purpose, target, contract, settings, logs |
| Retention | Decide end date first | Consider purpose, law, operations, backups |
| Deletion | Confirm deletion or continued use after delivery | Design account exit, contract end, legal retention, backups |
| Recovery | Assess whether it can be recreated | Set recovery objectives and backup tests |
Shared responsibility
Cloud use does not automatically make everything safe, and a developer cannot manage every risk alone. We separate the roles of the customer, Finite Field, and services used.
Within the contracted scope, we handle system controls and development-time data handling.
Lawful data use, user and endpoint operations, and internal rules remain important customer responsibilities.
Physical facilities, platform services, and managed-service scope follow each service contract and shared responsibility model.
AI & third parties
When data goes to generative AI, maps, mail, analytics, notifications, payment, or other services, the purpose and scope are included in the data flow.
Do not send business data to external AI. Use ordinary algorithms, local processing, or fixed anonymized data.
First option to considerSend only agreed fields to agreed services after identifiers are removed. Check whether transfers can be recorded.
Requires anonymization and minimizationConfirm service terms, retention, region, reuse conditions, and permissions, then document target data.
Needs individual risk judgmentEXTERNAL SERVICE CHECK
Incident response
Before production operation, define event scope, contacts, first notice, containment, recovery, and prevention responsibilities.
Detect events from monitoring, user contact, or service notices.
Reduce spread and preserve necessary evidence.
Confirm affected data, cause, impact, and reporting need.
Contact stakeholders based on law, contract, and situation.
Recover after safety is confirmed and apply prevention.
Evidence pack
Depending on importance and contract scope, these artifacts can be created or updated. They are not all standard deliverables, so select what is needed during estimation.
Fields, purpose, sensitivity, location, owner.
Download CSV / 02Source, destination, purpose, method, subprocessor.
Download CSV / 03Role, environment, operation, approval, review.
Download CSV / 04Service, purpose, data, location, contract.
Download CSV / 05Reason, deadline, deletion method, evidence, exception.
Download CSV / 06Event class, primary contact, fallback, decision owner.
Download CSV / 07Target, recovery point, elapsed time, result, issue.
Download CSV / 08Design, implementation, testing, operation, exit handling.
Download CSV / 09Purpose, sent fields, retention, approval, stop procedure.
DownloadWe answer customer security check sheets after confirming actual practices and project scope. Not-yet-implemented items are stated as such, with alternatives separated.
References
We use laws, public guidelines, and open standards as references when selecting controls for a project. Referencing them is separate from claiming certification or full compliance.
Used as a basis for checking safety management measures, handling rules, organizational, human, physical, and technical measures, and external environments.
Open official sourceThe six functions are used as common language for risk and operational gaps.
Open official sourceUsed as a reference when organizing web and application security requirements and verification items.
Open official sourceThis page alone does not mean the following.
ISO/IEC 27001 certificationPrivacyMark certificationFull NIST CSF complianceOWASP ASVS certificationGuarantee of no incidentsSame controls for every projectFAQ
In principle, we first check whether validation can use minimized anonymized or pseudonymized samples. If real data is necessary, scope, storage, viewers, and deletion timing are agreed in advance.
External AI use, sent data, purpose, and retention are decided per project. A configuration that sends no business data to external AI can also be selected.
We check location requirements within the capabilities of the cloud or external services used. When cross-border transfer matters, services and data flows are made explicit.
Ownership, storage, access, backup, and deletion responsibilities are clarified according to contract, operating model, and maintenance scope.
This page does not claim a specific certification. Controls and review artifacts are defined per project, and customer check sheets can be answered when needed.
Contacts, event scope, first notice method, and update frequency are decided before production operation. Actual notices follow law, contract, and event details.
Necessity, legal requirements, access scope, storage, logs, deletion, and subprocessors must be checked. Stricter design is required and feasibility is decided per project.
Depending on target and required level, design review, automated checks, manual checks, and external specialists can be combined. Scope and deliverables are specified during estimation.
Next step
Before sending an entire workbook, you can start with column names or anonymized samples. We will sort out the required controls and development scope together.