Information Security Policy

1. Purpose

This policy establishes the framework Finance AI (“the Company”) uses to identify, assess, mitigate, and continuously monitor information security risks across all systems, data, and processes. It applies to all employees, contractors, and third-party service providers who access Company information assets.

2. Scope

This policy covers all information assets owned or managed by the Company, including but not limited to:

• Cloud infrastructure and application services (Vercel, Neon PostgreSQL)
• User data, including financial data obtained via Plaid
• Authentication and identity systems
• Third-party integrations (Plaid, Stripe, OpenAI)
• Employee and contractor endpoints used to access Company systems

3. Risk Identification & Assessment

The Company performs risk assessments on at least an annual basis, and additionally when significant changes are made to the application, infrastructure, or vendor relationships. The assessment process includes:

• Identification of information assets and their classification by sensitivity (public, internal, confidential)
• Threat modeling for key application flows, particularly those involving financial data ingestion and storage
• Evaluation of likelihood and impact for identified threats, producing a prioritized risk register
• Review of third-party vendor security posture and SOC 2/ISO 27001 certifications where available

4. Risk Mitigation Controls

4.1 Access Control

• All user authentication is handled via NextAuth with support for Google OAuth and email/password credentials with bcrypt-hashed passwords
• Session management uses signed JWTs with secure, HTTP-only cookies
• All data queries are scoped to the authenticated user’s ID, enforcing tenant isolation at the data layer
• Administrative access to production infrastructure requires multi-factor authentication

4.2 Data Protection

• All data in transit is encrypted via TLS 1.2+ (enforced by Vercel and Neon)
• Data at rest is encrypted using AES-256 (Neon-managed encryption)
• Sensitive credentials (Plaid access tokens) are encrypted at the application layer using a dedicated encryption key before database storage
• Environment secrets are stored in Vercel’s encrypted environment variable store and are never committed to source control

4.3 Application Security

• Server-side input validation is enforced via Zod schemas on all tRPC endpoints
• Dependency vulnerabilities are monitored via GitHub Dependabot alerts
• Stripe webhook signatures are verified before processing payment events
• The application follows the principle of least privilege for all third-party API scopes

4.4 Infrastructure Security

• Production infrastructure is hosted on Vercel’s SOC 2-compliant platform with automatic DDoS protection
• Database is hosted on Neon’s SOC 2-compliant managed PostgreSQL with network-level isolation
• No direct SSH or shell access to production servers; all deployments are via CI/CD

5. Monitoring & Incident Response

• Application errors and anomalies are monitored via Vercel’s built-in observability and logging
• Unauthorized access attempts are logged and reviewed
• In the event of a suspected security incident, the Company will: contain the threat, investigate root cause, notify affected users within 72 hours (or sooner if required by law), and remediate the vulnerability
• Post-incident reviews are conducted to update the risk register and improve controls

6. Asset Management

The Company maintains a complete and current inventory of all network endpoints connected to corporate and production environments. This includes employee devices (laptops, phones) as well as cloud-hosted compute instances and services.

6.1 Asset Discovery & Inventory

• Production infrastructure: All production services run on Vercel’s serverless platform and Neon’s managed PostgreSQL — there are no self-managed servers or VMs. The full production asset inventory is derived directly from the Vercel project dashboard and Neon console, which provide real-time visibility into all deployed instances and database branches
• Corporate endpoints: A centralized asset register tracks all employee and contractor devices authorized to access Company systems, including device type, OS version, encryption status, and assigned owner
• Third-party SaaS: An inventory of all third-party services with access to Company data (Plaid, Stripe, GitHub, Vercel, Neon, OpenAI) is maintained and reviewed during each risk assessment cycle

6.2 Endpoint Security Requirements

• All corporate endpoints must run a supported operating system with automatic security updates enabled
• Full-disk encryption (BitLocker, FileVault, or equivalent) is required on all devices
• OS-level firewall must be enabled; screen lock must activate after no more than 5 minutes of inactivity
• Devices that no longer meet security requirements or are decommissioned are removed from the asset register and have credentials revoked

6.3 Ongoing Visibility

• The asset inventory is reviewed quarterly and updated whenever endpoints are added, replaced, or decommissioned
• Vercel and Neon dashboards are monitored for any unauthorized or unexpected deployments or database branches
• GitHub organization audit logs provide visibility into repository access and CI/CD pipeline changes

7. Physical Security

Finance AI operates as a fully remote organization with no physical office or on-premises data center. Physical security controls are addressed as follows:

• All production data is hosted by cloud providers (Vercel, Neon) whose physical data center security is validated through SOC 2 Type II audits
• Employee devices must use full-disk encryption and OS-level screen lock
• Sensitive credentials are never stored on local devices outside of encrypted password managers

8. Roles & Responsibilities

• Founder / Security Lead: Owns this policy, conducts risk assessments, manages incident response, and ensures compliance with partner security requirements
• All personnel: Must follow this policy, report suspected security incidents promptly, and complete security awareness training annually

9. Policy Review

This policy is reviewed and updated at least annually, or whenever there is a material change to the Company’s technology stack, data handling practices, or regulatory environment. All revisions are tracked and approved by the Security Lead.