1. Scope
This policy applies to all Billslash production systems, employees, and contractors. It documents the controls we use to protect customer data and meet our obligations to partners such as Plaid, Stripe, and our enterprise customers.
2. Encryption
- In transit: TLS 1.2+ enforced on every domain (HSTS enabled).
- At rest: AES-256 disk encryption on our managed Postgres database.
- Secrets: Stored in our cloud secret vault; never committed to source control.
- Plaid access tokens: Isolated in a service-role-only table; never logged, never returned to the browser.
3. Access Control
- Row-level security on every user-scoped table.
- Roles stored in a separate
user_rolestable, queried via a SECURITY DEFINERhas_role()function (no recursion, no privilege escalation). - TOTP multi-factor authentication required for admin accounts. Enrollment is self-service in Settings.
- Production database write access is limited to a small named group of engineers.
4. Plaid Integration
- Token exchange: Performed server-side. Public tokens never reach the browser after exchange.
- Webhook verification: All Plaid webhooks are verified via ES256 JWT signature against Plaid's published JWKS, with a 5-minute replay window and constant-time body hash comparison.
- Token rotation: Tokens can be rotated on demand via Plaid's
/item/access_token/invalidateendpoint. - Item removal: When a user disconnects a bank or deletes their account, we call Plaid's
/item/removeto revoke our consent.
5. Audit Logging
Sensitive actions are written to an append-only security_audit_logtable with the actor's user id, IP address, user-agent, and a JSON detail payload. Logs are readable only by admins and retained for at least 12 months.
6. Incident Response
- 24/7 alerting on application errors and authentication anomalies via Sentry.
- Documented runbook covering triage, containment, eradication, recovery, and customer notification.
- Affected customers and regulators are notified within 72 hours when required by GDPR / CCPA.
7. Data Retention & Deletion
- Account data is retained while your account is active.
- On deletion, all linked Plaid items are revoked, bank credentials are wiped, and personal data is purged within 30 days. Backups roll off within 90 days.
- Aggregated, de-identified analytics may be retained.
8. Sub-processors
We use the following sub-processors. See /subprocessors for the live list with addresses.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase (Postgres, Auth) | Primary database, authentication | US |
| Cloudflare Workers | Application hosting and edge compute | Global |
| Plaid | Bank account connectivity | US |
| Stripe | Subscription billing | US / EU |
| Resend | Transactional email | US |
| Sentry | Error monitoring | US |
9. People & Process
Background checks for engineers, NDA on hire, security training on hire and annually. Code changes require peer review. Secrets are rotated on personnel changes.
10. Reporting a Vulnerability
Report security issues to security@billslash.app. We acknowledge within 1 business day. We do not pursue legal action against good-faith researchers who follow coordinated disclosure. See also security.txt.