Information Security Policy

Last Updated: November 26, 2025

1. Purpose and Scope

1.1 Purpose

This Information Security Policy establishes the framework for protecting Freedom Forge's information assets, systems, and customer data from unauthorized access, disclosure, modification, or destruction.

Company Information:

Organization: Freedom Forge
Address: 12308 Bay Estuary Bend, Riverview, FL 33579
Website: freedomforge.app
Contact: contact@freedomforge.app

2. Information Security Principles

Confidentiality

Protecting sensitive information from unauthorized disclosure

Customer financial data encrypted in transit and at rest
Access restricted to authorized systems only
No sharing of customer data with third parties

Integrity

Ensuring accuracy and completeness of information

Row Level Security (RLS) prevents data tampering
All code changes tracked via version control
Database backups for data recovery

Availability

Ensuring authorized users can access information when needed

99.9% uptime target via Vercel Edge Network
Automatic failover and redundancy
Incident response procedures for service disruptions

3. Data Classification

Critical Data (Highest Protection)

Plaid API Access Tokens: Encrypted in Supabase Vault (AES-256)
User Passwords: Hashed with bcrypt, never stored in plain text
API Keys and Secrets: Stored in Vercel encrypted environment variables

Sensitive Data (High Protection)

Customer Financial Data (bank balances, transactions, debt information)
Personally Identifiable Information (names, email addresses, phone numbers)
Authentication Credentials (session tokens, refresh tokens)

Internal Data (Moderate Protection)

Application Code (stored in private GitHub repositories)
System Configuration (infrastructure settings and deployment configurations)
Usage Analytics (aggregated, anonymized user behavior data)

4. Access Control

4.1 Two-Factor Authentication (2FA)

Required for all critical systems:

GitHub account (code repository)
Vercel account (hosting and deployment)
Supabase account (database and authentication)
Plaid Dashboard (API management)
Domain registrar accounts

4.2 Password Requirements

✓ Minimum 16 characters for administrative accounts
✓ Combination of uppercase, lowercase, numbers, and special characters
✓ No password reuse across services
✓ Password manager (1Password or Bitwarden) required
✓ Passwords changed immediately if compromise suspected

4.3 Session Management

User sessions expire after 30 days of inactivity
Active sessions terminated upon password change
Failed login attempts logged and monitored
Account lockout after 5 failed login attempts

5. Data Protection

5.1 Encryption Standards

Data in Transit:

✓ All connections use TLS 1.3 encryption
✓ HTTPS enforced for all web traffic
✓ Certificate pinning for Plaid API connections
✓ Strict Transport Security (HSTS) headers enabled

Data at Rest:

✓ Plaid access tokens: AES-256 encryption in Supabase Vault
✓ Database: Volume-level encryption via Supabase/AWS
✓ Passwords: Bcrypt hashing with salt
✓ Environment variables: Encrypted in Vercel

5.2 Data Handling Procedures

Customer Financial Data:

Retrieved only via secure Plaid API connections
Stored in Supabase PostgreSQL with Row Level Security
Transaction history retained for 24 months (user-configurable)
Automatic deletion of data older than retention period

Sensitive Credentials:

Never committed to version control (git)
Never logged or displayed in error messages
Never transmitted via email or insecure channels
Stored only in encrypted vaults or environment variable systems

6. Infrastructure Security

Production Environment

Application Hosting: Vercel (SOC 2 Type II certified)

Database: Supabase PostgreSQL (SOC 2 Type II certified)

Financial Data Aggregation: Plaid (SOC 2 Type II certified)

Version Control: GitHub (SOC 2 Type II certified)

Network Architecture

Frontend: Serverless Next.js on Vercel Edge Network (200+ global locations)
Backend: Serverless API routes with automatic scaling
Database: Private network, not publicly accessible without credentials
All communication over HTTPS/TLS 1.3

7. Vulnerability Management

7.1 Automated Scanning

GitHub Dependabot: Daily scanning of npm dependencies
Security Advisories: Automatic alerts for known vulnerabilities
Vercel Security Headers: Automatic OWASP header configuration
Supabase: Regular security patches managed by provider

7.2 Patch Management

✓ Critical security patches applied within 24 hours of discovery
✓ High-priority patches applied within 7 days
✓ Regular dependency updates on monthly basis
✓ Automated deployment process ensures rapid patch deployment

7.3 Code Security Practices

TypeScript strict mode prevents type-related bugs
ESLint configured for security best practices
Input validation on all API endpoints
Output sanitization to prevent XSS attacks
Parameterized queries to prevent SQL injection
Content Security Policy (CSP) headers configured

8. Incident Response

8.1 Incident Classification

Critical (Response Within 1 Hour):

Data breach or suspected unauthorized access to customer data
Complete service outage affecting all users
Compromise of Plaid API credentials or access tokens
Security vulnerability actively being exploited

High (Response Within 4 Hours):

Partial service degradation affecting multiple users
Denial of service attack
Unauthorized access attempt detected
Security vulnerability discovered but not yet exploited

Medium (Response Within 24 Hours):

Individual user account compromise
Performance degradation
Failed deployment requiring rollback

8.2 Response Procedures

Detection:

• Vercel Analytics: Real-time error tracking
• Supabase logs: Failed auth attempts
• Email alerts: Build failures, rate limits
• Manual monitoring: Daily health checks

Containment:

• Disable affected features immediately
• Revoke compromised credentials
• Block malicious IP addresses
• Isolate affected systems

Eradication:

• Identify root cause
• Deploy patches or config changes
• Verify vulnerability remediated
• Conduct security testing

Communication:

• Notify affected users within 72 hours
• Notify regulatory authorities as required
• Public status updates if widespread
• Transparent post-mortem documentation

9. Backup and Disaster Recovery

9.1 Backup Procedures

Database Backups (Supabase):

Automatic daily backups
Point-in-time recovery available (up to 7 days)
Backups encrypted and stored in separate geographic region
Retention: 30 days for production backups

Code Repository (GitHub):

Complete version history maintained
Distributed nature provides redundancy
Organization settings backed up monthly

9.2 Disaster Recovery

Recovery Time Objective (RTO): 4 hours (time to restore service after total system failure)

Recovery Point Objective (RPO): 24 hours (maximum acceptable data loss)

10. Third-Party Service Providers

Approved Vendors

Provider	Purpose	Compliance
Plaid	Financial data aggregation	SOC 2 Type II
Vercel	Application hosting	SOC 2 Type II
Supabase	Database & authentication	SOC 2 Type II
GitHub	Code repository	SOC 2 Type II

11. Compliance

Freedom Forge complies with:

✅ California Consumer Privacy Act (CCPA)
✅ General Data Protection Regulation (GDPR)
✅ Gramm-Leach-Bliley Act (GLBA) - via Plaid compliance
✅ Plaid Data Governance Requirements
✅ SOC 2 Type II Standards (via infrastructure providers)

12. Contact Information

Security Concerns

Report security incidents or concerns immediately:

Email: contact@freedomforge.app
Subject Line: "SECURITY INCIDENT" or "SECURITY CONCERN"
Response Time: Within 24 hours

Policy Questions

Questions about this Information Security Policy:

Email: contact@freedomforge.app
Subject Line: "Security Policy Question"
Response Time: Within 5 business days

Policy Owner: Marc Carlton, Founder

Document Version: 1.0

Effective Date: November 26, 2025

Last Reviewed: November 26, 2025

Next Review: May 26, 2026

← Privacy Policy