Information Security Policy

Effective Date: January 4, 2026 | Last Updated: January 4, 2026 | Version: 1.0

Purpose

This Information Security Policy establishes the framework for protecting the confidentiality, integrity, and availability of financial data processed by Iris Secure Financial. This policy applies to all systems, applications, and personnel handling customer financial information.

Security Contact:

Name: Support Team
Phone: +1-508-365-9038
Email: [email protected]
Website: https://irissecure.tech/
Responsibilities: Overall information security oversight, incident response coordination, security policy maintenance

Scope

This policy covers:

All production systems hosting Iris Secure Financial
Financial data obtained via Plaid API integration
Customer personal and business information
Internal employee access to systems and data
Third-party service providers (Plaid, AWS, Vercel, etc.)

Access Control

Authentication Requirements

User Authentication (NextAuth.js):

Email/password authentication with bcrypt hashing (cost factor 10)
Session-based authentication using JWT tokens
Session expiry: 30 days
Password requirements: Minimum 8 characters

Multi-Factor Authentication (MFA):

Currently: Session-based authentication
Planned: Biometric MFA in Q2 2026
Enhanced security for administrative access in development

Role-Based Access Control (RBAC)

ADMIN: Full tenant access, team management, settings configuration
MEMBER: Standard user access, limited to assigned data
Super Admin: Platform-wide administrative access

Multi-Tenant Isolation

All database queries enforce tenant-level isolation
Users can only access data belonging to their organization(s)
Strict session validation on all API routes

Data Protection

Encryption

Data in Transit:

TLS 1.2+ for all client-server communications
HTTPS enforced on all production endpoints
Secure WebSocket connections where applicable

Data at Rest:

PostgreSQL database encryption at rest
All Plaid API data encrypted in database
Password hashing using bcryptjs (salt rounds: 10)
JWT tokens stored as HTTP-only cookies

Data Classification

Highly Sensitive: Bank account credentials (handled by Plaid, never stored), financial transaction details, authentication tokens

Sensitive: Personal information, business financial data, organizational settings

Internal: System logs (sanitized), application metadata

Network and Infrastructure Security

Architecture

Hosted on Vercel/Abacus AI secure cloud platform
Managed PostgreSQL with encryption
CDN: Cloudflare/Vercel edge network
API Gateway: Next.js API routes with middleware authentication

Security Controls

Cloud provider managed firewall rules
DDoS Protection integrated via hosting platform
Rate Limiting on authentication endpoints
Security Headers: CSP, HSTS, X-Frame-Options configured

Vulnerability Management

Automated Scans

Dependency vulnerability scanning (Dependabot/npm audit)
Code security analysis during build process
Weekly automated scans of production dependencies

Patch Management

Critical Vulnerabilities: Patched within 48 hours
High Severity: Patched within 7 days
Medium/Low: Patched during regular maintenance windows
Zero-Day: Emergency response process activated

Incident Response

Security Incidents:

Phone: +1-508-365-9038
Primary Contact: [email protected]
Response Time: Within 4 hours during business hours
Emergency Protocol: 24/7 monitoring for critical systems

Process:

Detection: Via monitoring, user reports, or automated alerts
Assessment: Severity classification and scope determination
Containment: Immediate action to limit impact
Eradication: Remove threat and vulnerabilities
Recovery: Restore services and validate security
Post-Incident: Root cause analysis and preventive measures

Third-Party Risk Management

Critical Vendors:

Plaid: Financial data aggregation (SOC 2 Type II certified)
Vercel/Abacus AI: Application hosting (security certifications verified)
PostgreSQL Provider: Database hosting (encryption at rest/transit)

Assessment Process:

Annual security questionnaire for all critical vendors
Review of security certifications and compliance status
Contractual security requirements and SLAs

Compliance and Privacy

Transparency: Clear privacy policy disclosed to all users
Consent: Explicit opt-in for data collection and processing
Data Minimization: Collect only necessary information
User Rights: Data access, correction, and deletion upon request

See our Data Retention Policy for retention details.

Continuous Improvement

Roadmap for 2026:

✓ Implementation of biometric MFA (Q2)
✓ Annual penetration testing (Q3)
✓ Enhanced MFA for critical systems (Q1-Q2)
✓ Security awareness program formalization (Q2)
✓ SIEM implementation for advanced threat detection (Q4)

Document Version: 1.0

Next Review Date: January 4, 2027

Approved By: Support Team

Distribution: Internal use, available to partners/auditors upon request