Data Security

Data at Rest

All sensitive customer data, including bank account details and transaction history, shall be encrypted at rest using AES-256 encryption via MongoDB Atlas.

Data in Transit

All data moving between the user's device and our servers, and between our servers and Plaid, shall be encrypted using TLS over HTTPS, configured in line with current industry practice.

Key Management

Encryption keys and API secrets (e.g., Plaid Client Secret) are never stored in source code. They are managed via a secure environment variable manager or AWS KMS.

Multi-Factor Authentication (MFA)

MFA is strictly enforced for all administrative access to Google Cloud/AWS, MongoDB Atlas, GitHub, and the Plaid Dashboard.

Principle of Least Privilege

Access to production databases is strictly restricted. Third-party contractors shall not have access to raw PII without encrypted tunnels.

Password Policy

All internal accounts must use a password manager (e.g., 1Password/Bitwarden) with a minimum of 14 characters.

Access Review

Access permissions are reviewed regularly. Former employees or contractors have their access to systems and the Plaid Dashboard revoked immediately.

Code Scanning

We use automated tools (e.g., GitHub Dependabot and Snyk) to scan for vulnerabilities in our dependencies before every deployment.

System Patching

Because our database is hosted on MongoDB Atlas, all underlying database security patches are managed automatically by the cloud provider.

Identify & Isolate

Immediately identify and isolate the affected server, database, or compromised access key to prevent further unauthorized access.

Analysis

Conduct a thorough review to determine the scope of the breach, specifically checking if any Personally Identifiable Information (PII) or financial tokens were exposed.

Notification

Notify affected users and the Virginia Attorney General (as required by VA Code § 18.2-186.6) without unreasonable delay, and no later than 30 days after the discovery of the breach.