Finite Field

Security & Data Handling

Handle entrusted data
without ambiguity.

We define which data is handled, for what purpose, by whom, in which environment, and for how long. From mathematical prototypes to production operations, boundaries and responsibilities are agreed first and kept as reviewable evidence.

We do not claim perfect safety. This page does not claim a certification. Project-specific agreements come first.
DATA CONTROL PLANEPROJECT / 001
01CustomerSource data and business rules
Minimum needed
02FINITE FIELDDesign, development, verification
Agreed scope
03Services usedCloud and external integrations
PurposeDefined in advance
AccessLimited to necessary people
StorageLocation and period agreed
DeletionMethod and evidence decided
DESIGN BEFORE TRANSFERReceive after boundaries are set
SCROLL

Our position

We publish decision material, not vague reassurance.

Security is not determined by a product name or a single feature. We design around data type, purpose, organization, operations, and subprocessors, then keep the implemented scope reviewable.

01 / Minimize

Receive only necessary data

We first check whether names, addresses, contact details, free text, and full datasets can be removed. Small anonymized samples are preferred before bulk data.

02 / Boundary

Define boundaries before transfer

Storage location, viewers, external services, AI use, retention, and deletion are agreed before data receipt or production transition.

03 / Evidence

Leave reviewable artifacts

Data flows, access rights, subprocessors, backup, deletion, and incident contacts are kept as artifacts that can be checked.

What we publishPolicy, design items, and reviewable artifacts
What each project decidesSpecific services, permissions, retention, and test scope
What we do not publishSecrets or detailed settings that could help an attacker

Data journey

Decide each stage from receipt to deletion.

The same data requires different controls for diagnosis, prototypes, and production operations. We separate what is received, what must be decided, and what evidence remains.

INTAKE

Start with explanation materials and anonymized samples.

Prefer low handling volume

Examples received

  • Current spreadsheet columns
  • A few fictional or anonymized rows
  • Business rules and pain points
  • Metrics to improve

Decide in advance

  • Whether real names are necessary
  • How attachments are sent
  • Who handles the consultation
  • Retention after consultation

Artifacts kept

  • Received data list
  • Purpose memo
  • Deletion target date
  • Open questions

Security profile builder

Organize a project-specific design draft in about two minutes.

This is a design aid for the first meeting, not an audit or guarantee. No contact details are required.

Step 01 / Data class

Select data that may be handled

The draft is based on the category that needs the most careful handling. Multiple selections are allowed.

Control model

Cover detection, response, and recovery, not only prevention.

We reference the six NIST Cybersecurity Framework 2.0 functions as project review viewpoints. This is not a certification or full compliance claim.

GV

Govern

GOVERN

Clarify owners, policy, contracts, subprocessors, and acceptable risk.

Example: responsibility table, service list
ID

Identify

IDENTIFY

Understand assets, data, dependencies, threats, and impact.

Example: data flow, asset register
PR

Protect

PROTECT

Design authentication, least privilege, encryption, secrets, and secure implementation.

Example: permission matrix, implementation check
DE

Detect

DETECT

Define required logs, monitoring, alerts, and anomaly criteria.

Example: monitoring items, log retention
RS

Respond

RESPOND

Prepare triage, containment, investigation, communication, and prevention.

Example: contact tree, first-response procedure
RC

Recover

RECOVER

Design backup integrity, recovery order, business restart, and follow-up review.

Example: recovery runbook, test record

Application security

For web and apps, check from design through operation.

We use OWASP ASVS 5.0 as a reference for security requirements and verification items. Review, automated checks, manual checks, and external testing are combined according to importance and budget.

  1. 01Requirements and threatsOrganize data, permissions, attack surface
  2. 02ImplementationAuthentication, input, secrets, dependencies
  3. 03VerificationReview, testing, configuration check
  4. 04OperationMonitoring, updates, permissions, recovery

Prototype vs production

We do not treat prototypes and production the same.

This comparison shows design criteria to finalize per project, not fixed guarantees.

Review itemP0 mathematical prototypeP1 production system
PurposeValidate feasibility and metricsContinuous business processing
Data volumePrefer small, anonymized, necessary fieldsFormally define required operational scope
EnvironmentSeparate a short-term validation environmentConsider development, test, and production separation
AccessLimit to assigned peopleRole permissions, authentication, reviews
External AIStart from a design that does not send unnecessary dataAgree purpose, target, contract, settings, logs
RetentionDecide end date firstConsider purpose, law, operations, backups
DeletionConfirm deletion or continued use after deliveryDesign account exit, contract end, legal retention, backups
RecoveryAssess whether it can be recreatedSet recovery objectives and backup tests

Shared responsibility

Separate who protects what before contract.

Cloud use does not automatically make everything safe, and a developer cannot manage every risk alone. We separate the roles of the customer, Finite Field, and services used.

OUR SCOPE

Design, implementation, and development operations

Within the contracted scope, we handle system controls and development-time data handling.

  • Data flow and permission design
  • Secure application implementation
  • Secrets and development environment management
  • Agreed testing and review
  • Monitoring, updates, and response within maintenance scope
Items to make explicit in the contractOperatorMonitoring hoursBackupRecovery workInquiriesEnd-of-use handling

AI & third parties

Do not make external AI an invisible subprocessor.

When data goes to generative AI, maps, mail, analytics, notifications, payment, or other services, the purpose and scope are included in the data flow.

MODE 00

Do not send

Do not send business data to external AI. Use ordinary algorithms, local processing, or fixed anonymized data.

First option to consider
MODE A1

Send limited data

Send only agreed fields to agreed services after identifiers are removed. Check whether transfers can be recorded.

Requires anonymization and minimization
MODE C2

Send within approval

Confirm service terms, retention, region, reuse conditions, and permissions, then document target data.

Needs individual risk judgment

EXTERNAL SERVICE CHECK

What to confirm per external service

  1. 01Data sentFields, frequency, volume
  2. 02PurposeProcessing, notification, analysis
  3. 03Retention and reuseStorage, learning, logs
  4. 04Location and subprocessorsCountry, region, supply chain
  5. 05Stop and deleteEnd-of-use handling

Incident response

Plan what happens if an incident occurs.

Before production operation, define event scope, contacts, first notice, containment, recovery, and prevention responsibilities.

01

Detect and receive

Detect events from monitoring, user contact, or service notices.

02

Contain

Reduce spread and preserve necessary evidence.

03

Analyze and decide

Confirm affected data, cause, impact, and reporting need.

04

Communicate and respond

Contact stakeholders based on law, contract, and situation.

05

Recover and improve

Recover after safety is confirmed and apply prevention.

Before productionEmergency contact
Before productionEvent scope
Before productionFirst notice path
Project designMonitoring and response hours
Law and contractNotification and reporting

References

References and what we do not claim.

We use laws, public guidelines, and open standards as references when selecting controls for a project. Referencing them is separate from claiming certification or full compliance.

JAPAN / PRIVACY

Japan privacy law and PPC guidelines

Used as a basis for checking safety management measures, handling rules, organizational, human, physical, and technical measures, and external environments.

Open official source
RISK / MANAGEMENT

NIST Cybersecurity Framework 2.0

The six functions are used as common language for risk and operational gaps.

Open official source
APPLICATION / VERIFICATION

OWASP ASVS 5.0

Used as a reference when organizing web and application security requirements and verification items.

Open official source

This page alone does not mean the following.

ISO/IEC 27001 certificationPrivacyMark certificationFull NIST CSF complianceOWASP ASVS certificationGuarantee of no incidentsSame controls for every project

FAQ

Common questions about data handling.

Do diagnosis or prototypes require production data?

In principle, we first check whether validation can use minimized anonymized or pseudonymized samples. If real data is necessary, scope, storage, viewers, and deletion timing are agreed in advance.

Do you send data to external generative AI?

External AI use, sent data, purpose, and retention are decided per project. A configuration that sends no business data to external AI can also be selected.

Can storage country or region be selected?

We check location requirements within the capabilities of the cloud or external services used. When cross-border transfer matters, services and data flows are made explicit.

What happens to data and source code after delivery?

Ownership, storage, access, backup, and deletion responsibilities are clarified according to contract, operating model, and maintenance scope.

Do you hold a security certification?

This page does not claim a specific certification. Controls and review artifacts are defined per project, and customer check sheets can be answered when needed.

When are incidents communicated?

Contacts, event scope, first notice method, and update frequency are decided before production operation. Actual notices follow law, contract, and event details.

Can you handle medical, care, or other sensitive data?

Necessity, legal requirements, access scope, storage, logs, deletion, and subprocessors must be checked. Stricter design is required and feasibility is decided per project.

Can we request security testing or vulnerability assessment?

Depending on target and required level, design review, automated checks, manual checks, and external specialists can be combined. Scope and deliverables are specified during estimation.

Next step

First, separate the data that can be shared from data that should stay out.

Before sending an entire workbook, you can start with column names or anonymized samples. We will sort out the required controls and development scope together.

Start the diagnosis Discuss data handling Please confirm the transfer method before sending confidential information.
FreeDraft a security profile