Information Security Policy

Effective Date: August 11, 2025 | Version 1.0

Our Commitment to Security

We take the security of your personal and payment information seriously. This policy outlines the comprehensive measures we implement to protect your data and ensure secure transactions.

Data Protection

Encryption Standards

• All sensitive data encrypted at rest using AES-256 encryption
• TLS 1.2+ encryption for all data transmission
• Bank account tokens secured with additional application-level encryption
• No plain text storage of payment credentials

Data Categories We Protect

• Payment Information: Bank account details, payment history, transaction records
• Personal Information: Name, address, phone, email
• Account Security: Passwords, authentication tokens
• Business Records: Order history, invoices, statements

Payment Security

Plaid Integration

• Bank connections secured by Plaid's OAuth 2.0 authentication
• We never store your bank login credentials
• All payment tokens encrypted with AES-256-GCM
• Webhook signatures verified for all payment events
• Plaid maintains SOC2 Type II compliance

ACH Payment Protection

• Identity verification through Plaid Identity
• Real-time balance verification before processing
• Fraud detection and velocity checks
• Manual review for high-risk transactions

Access Control

• Multi-factor authentication for administrative access
• Role-based access control (RBAC) throughout the platform
• Session timeout after 30 minutes of inactivity
• Strong password requirements (12+ characters)
• Regular security audits and access reviews

Infrastructure Security

• Hosted on secure cloud infrastructure with DDoS protection
• Web Application Firewall (WAF) enabled
• SSL/TLS certificates maintained and auto-renewed
• Regular security updates and patches
• 24/7 monitoring and alerting systems

Security Monitoring

Continuous Monitoring

• Real-time authentication attempt monitoring
• Failed payment tracking and alerting
• Comprehensive audit logs for all administrative actions
• Automated alerts for suspicious activities

Incident Response

We maintain a comprehensive incident response plan that includes immediate containment, investigation, remediation, and customer notification within 72 hours if required by law.

Compliance

• PCI DSS compliance for payment card industry standards
• NACHA Operating Rules for ACH transactions
• State privacy law compliance (CCPA, etc.)
• Regular third-party security assessments

Data Backup and Recovery

• Daily automated encrypted backups
• Geographic redundancy for backup storage
• 30-day retention policy
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 24 hours

Vulnerability Management

• Critical security patches applied within 24 hours
• Monthly security updates
• Automated dependency vulnerability scanning
• Input validation and sanitization
• Protection against SQL injection, XSS, and CSRF attacks

Your Security Responsibilities

• Keep your account credentials confidential
• Use strong, unique passwords
• Report suspicious activity immediately
• Keep your contact information up to date
• Review your statements and transaction history regularly

Security Updates

This policy is reviewed annually and updated as needed to address new threats, technologies, and regulatory requirements. We continuously improve our security measures to protect your information.

Contact Us

For security concerns or to report an incident, please contact us immediately:

• Email: contact@shawnnance.com
• Response Time: Critical incidents handled 24/7