Security Policy

At Nova Finance, security is our top priority. This Security Policy provides comprehensive information about our security practices, data protection measures, and compliance with industry standards. We are committed to protecting your financial information and maintaining the trust you place in us.

This policy complies with requirements from Plaid, regulatory bodies including the Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), EU General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA).

1. Information Security Governance and Risk Management

1.1 Security Governance Structure

Nova Finance has established a comprehensive security governance framework:

• Chief Information Security Officer (CISO): Oversees all security initiatives and policies
• Security Team: Dedicated personnel responsible for monitoring, incident response, and security operations
• Quarterly Security Reviews: Regular assessment of security posture and policy updates
• Third-Party Audits: Annual SOC 2 Type II audits by independent auditors

1.2 Risk Assessment and Management

We conduct comprehensive risk assessments to identify, evaluate, and mitigate security risks:

• Annual Risk Assessments: Comprehensive evaluation of information security risks
• Threat Modeling: Identify potential attack vectors and vulnerabilities
• Business Impact Analysis: Assess criticality of systems and data
• Risk Mitigation Plans: Documented strategies to address identified risks
• Continuous Monitoring: Real-time threat detection and response

1.3 Compliance and Certifications

2. Information Security Policies and Procedures

2.1 Security Policy Framework

We maintain comprehensive, documented security policies covering:

• Data Protection Policy: Guidelines for handling sensitive information
• Access Control Policy: Rules for granting and revoking system access
• Incident Response Policy: Procedures for detecting and responding to security incidents
• Business Continuity and Disaster Recovery: Plans to ensure service availability
• Acceptable Use Policy: Employee guidelines for technology use
• Third-Party Risk Management: Vendor security assessment procedures

2.2 Policy Review and Updates

All security policies are:

• Reviewed annually or when significant changes occur
• Approved by executive leadership and security team
• Communicated to all employees and contractors
• Version-controlled with change history documentation

2.3 Employee Security Training

• Onboarding Security Training: Mandatory for all new hires
• Annual Refresher Training: Security awareness and phishing simulations
• Role-Based Training: Additional training for personnel with access to sensitive data
• Incident Response Drills: Quarterly tabletop exercises to test preparedness

3. Identity and Access Management (IAM)

3.1 Access Control Principles

We implement strict access controls based on:

• Principle of Least Privilege: Users receive minimum access necessary for their role
• Need-to-Know Basis: Access granted only when required for job function
• Separation of Duties: Critical operations require multiple approvals
• Time-Based Access: Temporary access automatically expires

3.2 Authentication Mechanisms

Nova Finance implements a complete and robust authentication system:

• Strong Password Requirements: Minimum 12 characters, complexity requirements enforced
• Password Hashing: Bcrypt with salt rounds (never stored in plain text)
• JWT Session Tokens: Short-lived tokens (30-day expiration) with refresh mechanism
• Secure Cookie Configuration: HttpOnly, Secure, SameSite attributes enabled
• Session Management: Automated logout after inactivity and secure token refresh
• Consent Tracking: LGPD-compliant consent management with IP and user-agent logging

3.3 Role-Based Access Control (RBAC)

User access is managed through roles with defined permissions:

• User Role: Standard access to own financial data only
• Support Role: Limited access for customer assistance (audit logged)
• Developer Role: Access to development environments only
• Administrator Role: Full system access (MFA required, all actions logged)

3.4 Access Review and Revocation

• Quarterly access reviews to ensure appropriate permissions
• Immediate revocation upon employee termination or role change
• Automatic suspension of inactive accounts after 90 days
• Audit trail of all access grants and revocations

4. Multi-Factor Authentication (MFA)

4.1 Planned MFA Implementation

When implemented, MFA will offer:

• Time-Based OTP (TOTP): Support for authenticator apps (Google Authenticator, Authy, 1Password)
• User Control: Enable/disable MFA in Settings > Security
• QR Code Enrollment: Simple setup process with QR code scanning
• Recovery Codes: Backup codes provided during enrollment for account recovery

4.2 MFA for Internal Systems

All employees and contractors must use MFA for:

• Access to production systems and databases
• Administrative accounts (Google Cloud, Supabase, GitHub)
• VPN and remote access
• Code repositories and deployment pipelines

4.3 MFA Security Benefits

MFA will protect against:

• Credential theft and phishing attacks
• Brute force password attacks
• Account takeover attempts
• Unauthorized access from compromised devices

5. Password Security and Management

5.1 Password Requirements

• Minimum Length: 12 characters (recommended: 16+ characters)
• Complexity: Mix of uppercase, lowercase, numbers, and special characters
• No Common Passwords: Checked against database of breached passwords (HaveIBeenPwned API)
• No Personal Information: System rejects passwords containing name or email
• Password History: Cannot reuse last 5 passwords

5.2 Password Storage

We implement industry-standard password protection:

• Hashing Algorithm: Bcrypt with adaptive cost factor (increases over time)
• Salt: Unique cryptographic salt for each password
• Never Stored in Plain Text: Passwords are hashed before storage
• Secure Password Reset: Time-limited tokens sent via email, old password invalidated

5.3 Password Reset Security

• Email verification required before password reset
• Reset tokens expire after 1 hour
• One-time use tokens (cannot be reused)
• Security notification sent to user after password change
• All active sessions terminated after password reset

6. Data Encryption Standards

6.1 Encryption at Rest

All sensitive financial data is encrypted using industry-leading algorithms:

6.2 Data Encrypted at Rest

• Plaid Access Tokens: Encrypted before storage in database
• Bank Account Numbers: Encrypted using AES-256-CBC
• Transaction Details: All financial transaction data encrypted
• Account Balances: Encrypted balance information
• Personally Identifiable Information (PII): Name, email, phone numbers

6.3 Encryption in Transit

All data transmission is secured using:

• TLS 1.2+: Minimum version for all connections (TLS 1.3 preferred)
• Perfect Forward Secrecy: Unique session keys for each connection
• Strong Cipher Suites: Only approved cryptographic algorithms
• HSTS: HTTP Strict Transport Security enforced (1-year max-age)
• Certificate Authority: Trusted SSL/TLS certificates from Let's Encrypt/DigiCert

7. Technical Security Safeguards

7.1 Infrastructure Security

• Backend Hosting: Google Cloud Run with automatic security patching
• Frontend Hosting: Vercel with DDoS protection and CDN
• Database: Supabase PostgreSQL with Row Level Security (RLS) policies
• Network Segmentation: Isolated environments for production, staging, and development
• Firewall Protection: Web Application Firewall (WAF) to block malicious traffic

7.2 Application Security

• Rate Limiting: 30 requests/minute on sensitive endpoints (auth, payments)
• CSRF Protection: Anti-CSRF tokens for state-changing operations
• XSS Prevention: Content Security Policy (CSP) headers, input sanitization
• SQL Injection Prevention: Parameterized queries, ORM usage
• Dependency Scanning: Automated vulnerability scanning of third-party libraries

7.3 Security Headers

We implement HTTP security headers using Helmet.js:

• X-Frame-Options: DENY (prevent clickjacking)
• X-Content-Type-Options: nosniff (prevent MIME-sniffing)
• Strict-Transport-Security: max-age=31536000 (1 year HSTS)
• Content-Security-Policy: Restrict resource loading to trusted domains
• Referrer-Policy: strict-origin-when-cross-origin

7.4 Logging and Monitoring

• Audit Logs: 13-month retention of authentication and sensitive operations
• Real-Time Alerts: Security team notified of suspicious activity
• Intrusion Detection: Automated detection of anomalous behavior
• Error Tracking: Application errors logged and monitored (no sensitive data in logs)

8. Vulnerability and Patch Management

8.1 Vulnerability Scanning

• Automated Scanning: Weekly vulnerability scans of infrastructure and applications
• Dependency Audits: Daily checks for known vulnerabilities in third-party libraries (npm audit, Snyk)
• Code Security Analysis: Static Application Security Testing (SAST) on each commit
• Penetration Testing: Annual third-party penetration testing

8.2 Patch Management

We maintain a rigorous patch management process:

• Critical Patches: Applied within 24 hours of release
• High Priority Patches: Applied within 7 days
• Regular Updates: Monthly maintenance windows for non-critical updates
• Testing: All patches tested in staging before production deployment
• Rollback Plan: Immediate rollback capability if issues arise

8.3 Security Bug Bounty

We welcome responsible disclosure of security vulnerabilities:

• Report Endpoint: security@novafinance.tech
• Response Time: Initial response within 48 hours
• Rewards: Monetary compensation for valid vulnerabilities (severity-based)
• Public Disclosure: Coordinated disclosure after patch deployment

9. Data Protection and Privacy Practices

9.1 Data Minimization

We collect only the minimum data necessary to provide our Services:

• No collection of Social Security Numbers (SSN)
• No storage of bank login credentials (handled by Plaid)
• No credit card numbers stored (Stripe tokenization)
• Transaction data limited to last 12 months

9.2 Data Retention

• Financial Data: 12 months, then automatically purged
• Account Data: Deleted 90 days after account closure
• Audit Logs: 13 months (compliance requirement)
• Backup Data: 30-day encrypted backups, then overwritten

Users can request immediate data deletion through Settings > Privacy > Delete Account.

9.3 Privacy by Design

• Default Privacy Settings: Most privacy-protective settings enabled by default
• User Control: Granular control over data sharing and marketing preferences
• Transparency: Clear communication about data collection and use
• Data Portability: Export all data in JSON format

10. Third-Party Service Provider Security

10.1 Vendor Security Assessment

All third-party vendors undergo security review before integration:

• Due Diligence: Evaluation of security posture, certifications, and compliance
• Contractual Safeguards: Data protection clauses in all vendor agreements
• Regular Reviews: Annual re-assessment of vendor security practices
• Right to Audit: Contractual right to audit vendor security controls

10.2 Key Third-Party Providers

10.3 Data Processor Agreements

All third-party processors sign Data Processing Agreements (DPAs) that ensure:

• GDPR compliance (Standard Contractual Clauses)
• Confidentiality obligations
• Security incident notification requirements
• Data deletion upon contract termination
• Prohibition on unauthorized data use or disclosure

11. Security Incident Response

11.1 Incident Response Plan

We maintain a comprehensive incident response plan covering:

• Detection: 24/7 monitoring and automated alerting
• Triage: Rapid assessment of incident severity and scope
• Containment: Immediate isolation of affected systems
• Eradication: Removal of threat and restoration of security
• Recovery: System restoration and validation
• Post-Incident Review: Root cause analysis and lessons learned

11.2 Breach Notification

In the event of a data breach affecting personal information:

• User Notification: Within 72 hours of breach discovery (GDPR requirement)
• Regulatory Notification: Report to relevant authorities as required by law
• Transparency: Clear communication about nature and extent of breach
• Remediation Steps: Guidance on protecting yourself from potential harm
• Free Credit Monitoring: Offered for breaches involving financial data

11.3 Business Continuity

• Backup Systems: Redundant infrastructure across multiple regions
• Disaster Recovery: RTO (Recovery Time Objective) of 4 hours, RPO (Recovery Point Objective) of 1 hour
• Failover Testing: Quarterly disaster recovery drills
• Communication Plan: Status page and customer communication channels

12. User Security Recommendations

12.1 Protect Your Account

• ✓ Enable Multi-Factor Authentication (Settings > Security > MFA)
• ✓ Use a unique, strong password (minimum 16 characters)
• ✓ Never share your password or MFA codes
• ✓ Log out of shared devices after use
• ✓ Review active sessions regularly (Settings > Security > Active Sessions)

12.2 Recognize Phishing Attempts

If you receive suspicious communications, forward them to security@novafinance.tech.

12.3 Report Security Concerns

If you suspect unauthorized access or security issues:

• Immediate Action: Change your password and enable MFA
• Contact Us: Email security@novafinance.tech
• Review Activity: Check transaction history for unauthorized changes
• Revoke Access: Disconnect bank accounts if necessary (Settings > Connected Accounts)

13. Security Contact Information