MyMoney

MyMoney — Information Security Policy

Version: 1.0 Effective Date: 2026-05-02 Owner: Andrew Walsh, Owner Review Cycle: Annually

1. Purpose

This policy establishes the security practices governing the MyMoney application to protect consumer financial data, ensure regulatory compliance, and maintain user trust.

2. Scope

This policy applies to all systems, infrastructure, and personnel involved in the development, operation, and maintenance of the MyMoney application, including any contractors or third-party service providers.

3. Governance

The Owner is responsible for:

  • Maintaining and enforcing this policy
  • Reviewing this policy annually or after any significant security incident
  • Ensuring all third-party integrations meet the security standards defined here
  • Responding to security incidents and user data requests

4. Identity and Access Management

4.1 Consumer Authentication

  • All users are required to authenticate with email and password
  • Multi-factor authentication (MFA) is mandatory for all user accounts and cannot be bypassed
  • MFA is enforced via TOTP (Time-based One-Time Password) using authenticator apps (Google Authenticator, Authy)
  • MFA verification is required before any consumer-facing financial data or Plaid-connected features are accessible
  • Session tokens are managed via secure, httpOnly, sameSite=strict cookies. No tokens are stored in localStorage

4.2 Administrative Access

  • Supabase dashboard access is protected with MFA
  • Vercel dashboard access is protected with MFA
  • Production environment variables and secrets are accessible only to the Owner
  • The principle of least privilege is applied — no access is granted beyond what is necessary for each role

4.3 Secrets Management

  • All API keys, tokens, and credentials are stored as environment variables in Vercel
  • Secrets are never committed to source code repositories
  • Repository is private with access restricted to authorized contributors only

5. Data Security

5.1 Encryption in Transit

  • All data transmitted between clients and servers uses TLS 1.2 or higher
  • Vercel enforces TLS on all endpoints automatically
  • No sensitive data is transmitted over unencrypted connections

5.2 Encryption at Rest

  • Plaid access tokens are encrypted using AES-256-GCM before storage
  • Third-party API credentials (e.g., Coinbase API keys) are encrypted using AES-256-GCM before storage
  • Encryption keys are stored separately from encrypted data, in Vercel environment variables
  • Supabase (PostgreSQL) provides encryption at rest for the database layer

5.3 Data Isolation

  • Row Level Security (RLS) is enforced at the database level on every table
  • Each user can only access their own data — isolation is enforced by the database, not only by application code
  • No user can access another user's financial data, transactions, or credentials

5.4 Sensitive File Storage

  • Tax documents and user-uploaded files are stored in private Supabase Storage buckets
  • Files are never publicly accessible
  • Access is granted only via signed URLs with a 15-minute expiry

6. Infrastructure Security

6.1 Hosting

  • Application is hosted on Vercel, which provides managed infrastructure with automatic patching and security updates
  • Database and authentication are hosted on Supabase, which provides managed PostgreSQL with encryption, backups, and compliance controls

6.2 API Security

  • All calls to third-party financial APIs (Plaid, Coinbase) are made exclusively from server-side API routes
  • Third-party API credentials are never exposed to the client browser
  • All API routes validate user session before processing any request

6.3 Dependency Management

  • npm audit is run regularly to identify and remediate known vulnerabilities in dependencies
  • GitHub Dependabot is enabled to flag vulnerable dependencies automatically
  • Dependencies are kept updated on a regular basis

7. Incident Response

In the event of a suspected security incident:

  1. Identify — Determine the nature and scope of the incident
  2. Contain — Revoke compromised credentials, disable affected integrations
  3. Notify — Notify affected users within 72 hours if their data may have been exposed, in accordance with applicable law
  4. Remediate — Fix the root cause, rotate credentials, update policies as needed
  5. Document — Record the incident, response actions, and lessons learned

Security incidents should be reported to: andrewdanawalsh@gmail.com

8. Third-Party Risk

  • Third-party service providers (Plaid, Supabase, Vercel, Anthropic, Coinbase) are evaluated for security practices before integration
  • Data shared with third parties is limited to what is necessary for the service
  • Plaid is used exclusively for read access to financial account data; no write or transaction execution capabilities are enabled

9. Policy Review

This policy is reviewed annually or following:

  • A significant security incident
  • Material changes to the application architecture
  • Changes in applicable regulations

Last reviewed: 2026-05-02 Next review due: 2027-05-02