Security Policy

This document outlines the security policies for handling financial information from Plaid, performing computations, and providing summary data to end users through the MagniFee web application.

All infrastructure related to the MagniFee application is hosted on Azure and includes a Svelte front-end on a static web app, an Azure Function to pull publicly accessible SEC data, internal APIs, and a staging database, all behind a virtual network and a network security group. A high-level architecture diagram is included below.

As this application is a prototype and, in its infancy, the scope of individuals with access to repositories and infrastructure is extremely limited to a handful of individuals within an approved application vendor known as G2O.

Date Author Version
May 2024 G2O 1.0
Diagram of how MagniFee connects to Plaid

1. Hosting

1.1. All Azure resources must be provisioned within a virtual network (VNet) to ensure isolation and security of the infrastructure.

1.2. Network security groups (NSGs) must be implemented to control inbound and outbound traffic to the resources.

1.3. All Azure resources must be regularly updated and patched to address any known vulnerabilities.

2. Governance

2.1. An initial governance framework has been established to identify, mitigate, and monitor security risks and is presented throughout this document.

2.2. Risk assessments must be conducted to identify potential threats and vulnerabilities whenever infrastructure or application functionality change.

2.3. Roles and responsibilities for security management and incident response must be clearly defined and assigned.

3. Asset Management

3.1 There is currently no physical asset management to speak of and no employees.

4. Access Controls

4.1. Access to application infrastructure is managed through Azure and only granted to approved vendors actively working on the infrastructure and associated application

4.2. Strong authentication factors, such as 2-factor authentication (2FA), must be enforced for all user accounts. For the purpose of this application, Plaid will be the gateway for authentication and no data can be accessed without that successful connection.

4.3. Access controls must be regularly reviewed and updated to ensure they remain effective.

5. Change Controls

5.1. Mandatory testing of code changes must be enforced before production release.

5.2. A code review and approval process must be implemented to ensure that all changes are reviewed and approved by authorized personnel before production release.

5.3. A detailed change log must be maintained to track all modifications made to production assets.

6. Cryptography

6.1. All data-in-transit must be encrypted using TLS 1.2 or better to protect data confidentiality and integrity.

6.2. Consumer data received from Plaid must be encrypted at rest using strong encryption algorithms (e.g., AES-256).

6.3. Encryption keys must be securely managed using Azure Key Vault or a similar service.

6.4. Encryption keys must be regularly rotated to minimize the impact of key compromise.

7. Logging & Monitoring

7.1. A centralized logging system must be implemented to maintain a robust audit trail of all material events that occur in production assets.

7.2. Real-time monitoring and alerting must be enabled to detect and triage events that may negatively impact the security of production assets.

7.3. Logs and monitoring data must be regularly reviewed to identify any suspicious activities or anomalies.

7.4. Logs must be retained for a sufficient period to support incident investigations and compliance requirements.

8. Incident Management

8.1. All security incidents must be communicated and sent to the supporting vendor to triage and mitigate

8.2. All security incidents and lessons learned must be documented to continuously improve the incident management process.

9. Network Segmentation

9.1. Production networks must be segmented based on the sensitivity of assets in those networks.

9.2. Network access controls must be implemented to restrict traffic between network segments.

9.3. Network segmentation policies must be regularly reviewed and updated to ensure they remain effective.

10. Vendor Management

10.1. Due diligence must be conducted on all vendors to assess their security posture and compliance with relevant standards and regulations.

10.2. Security requirements and service level agreements (SLAs) must be included in vendor contracts.

10.3. Vendor performance and compliance must be regularly monitored and reviewed.

11. Consumer Consent

11.1. Explicit consent must be obtained from consumers for the collection, processing, and storing of their data.

11.2. Clear and concise privacy notices must be provided to explain how consumer data will be used and shared.

11.3. Consumers must be allowed to easily withdraw their consent and request the deletion of their data.

11.4. All applicable data privacy laws and regulations, such as GDPR and CCPA, must be complied with.

12. Data Usage

12.1. Consumer data accessed through the Plaid API must not be sold or shared with any third parties.

12.2. Consumer data must be used only for the purposes explicitly consented to by the consumer.

12.3. Technical controls must be implemented to prevent unauthorized access, use, or disclosure of consumer data.

12.4. Data usage practices must be regularly reviewed and audited to ensure compliance with policies and regulations.

13. Policy Compliance

13.1. All employees, contractors, and third-party vendors must comply with this security policy.

13.2. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract.

13.3. The security policy must be regularly reviewed and updated to ensure it remains effective and aligned with industry best practices and applicable laws and regulations.