Security and Data Privacy
Dated Posted: November 1, 2023
Personal Identifiable Information, PII
We do not ask users for unnecessary personal information
We do not store any PII
Data storage
User authentication
We use Supabase Auth for authentication, which leverages the Postgres' built-in Auth functionality. Supabase is a SOC2 type 2 compliant.
Authorization
We enforce the PostgresSQL’s Row Level Security (RLS) which controls access to data in a database by row, so that users are only able to access the data they are authorized for
We support encrypted at REST with AES-256 and in transit via TLS.
Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.
SOC2 compliance
We currently do not have SOC2 compliance and are planning to get SOC2 type 1 in 4 weeks. We aim to get SOC2 type 2 compliance by Q1 next year
Risk management
Same as above, but financial data, good to know distinction between the risks (like losing bank details = ACH fraud)
Email Authentication - DKIM
DMARC, set a policy of quarantine or reject. Either SPD or DKIM set up can bypass DMARC
SPF, set IP-based
DKIM, asymmetrical key to encrypt the email sent on behalf
We set up DMARC quarantine policy and DKIM on our DNS server
Google Workspace
Password and security
Enabled 2-Step Verification for every employees
Security key: passkey, using MacBook fingerprints or the iPhone to replace the need of Yubi key
Access and data control
Restrict employees’ from granting OAuth access to their Gmail and Google Drive HR identity manager - Rippling
Authentication Policy: We enforce every teammate to enable MFA with Security key Password manager - Keeper
Using SSO connect to Rippling
Enforced 2FA for all teammates to separate the risk from employee’s Rippling account being compromised
Source code security - Github
We require our engineers to use their tyrtruewind.com email to create a new GitHub account.
We enforce everyone to use 2FA for their GitHub account
Security practices
Hosting
Cloud hosting - We host all server-side components of our application using on Vercel, an off-premise cloud infrastructure
Governance documented policy and operational information security program
Asset management: discovering and maintaining visibility into all network endpoints connected to the production networks
perform vulnerability scans against employee
endpoint security tools and agents to protect employee
Personal Devices Policy
Yes - We allow employee or contractor personal devices to be used for carrying out their job responsibilities, and these devices are centrally managed by us
Access Controls
We have defined processes for requesting, granting, reviewing, approving, and revoking access to production assets and data
We have deployed strong factors of authentication (e.g. 2-factor authentication) for all production assets
Change Controls
We have a defined process for building and releasing code changes to production assets
We do NOT logically enforce the testing of code changes before they're deployed to production assets
We logically enforce the review and approval of code changes before they are deployed to production assets
Cryptography
We use TLS 1.2 or better for all client-server communications
We do NOT encrypt consumer data retrieved from the Plaid API at-rest
Logging and Monitoring
We maintain robust audit trails and logs for all material events that occur in our production assets
We have monitoring and alerting mechanisms for real-time detection and triage of events that may negatively impact the security of production assets
Incident Management
We do NOT have a defined process for detecting, triaging, and resolving security impacting incidents
Network Segmentation
Our cloud and on-prem production networks are segmented based on the sensitivity of assets in each sub-network, and their needed exposure to the open internet
Awareness and Training
We train all employees and contractors on security awareness during on-boarding and on an ongoing basis
To-do: Add training documents
Data Processing Agreements
Open AI - Data Processing Agreements https://drive.google.com/drive/folders/1kHQhF8KH7bLn1u4oO92XtWX4EXOpXGt0?usp=drive_link
Data Retention Policy
Purpose
The purpose of this data retention policy is to establish guidelines for the retention and disposal of company data in order to ensure compliance with legal and regulatory requirements, safeguard sensitive information, and manage storage resources efficiently.
Scope
This policy applies to all employees, contractors, and third parties who handle company data in any form, including electronic and physical records.
Data Classification
Data should be classified into different categories based on its sensitivity and importance. Common classifications may include: a. Confidential / Highly Sensitive: Data that contains personally identifiable information (PII), financial information, trade secrets, or other sensitive information that requires strict protection. b. Internal / Operational: Data that is important for day-to-day operations but has a lower level of sensitivity. c. Public: Data that is intended for public consumption and does not require any special protection.
Retention Period
Each data category should have a specified retention period, determined based on legal, regulatory, and business requirements. Retention periods may vary depending on the type of data and applicable laws. Some common examples include: a. Confidential / Highly Sensitive: Retain for a minimum of 1 years after the end of the business relationship or legal requirement. b. Internal / Operational: Retain for a minimum of 1 years after creation or receipt. c. Public: No specific retention period required.
Storage and Disposal
Data should be stored in secure and appropriate locations based on its classification. Physical records should be stored in locked cabinets or secure off-site facilities. Electronic data should be stored on secure servers with appropriate access controls.
When data reaches the end of its retention period, it should be disposed of in a secure and irreversible manner. The method of disposal should be appropriate for the data format, ensuring that it cannot be recovered.
Review and Compliance
This policy should be reviewed periodically to ensure its effectiveness and alignment with changing legal and regulatory requirements. Non-compliance with this policy may result in disciplinary action, including termination of employment or legal consequences.
