BalanceUp Security Policy

1. Purpose

The purpose of this policy is to establish a framework for securing user data, financial information, and system infrastructure within the BalanceUp platform. It ensures the confidentiality, integrity, and availability of data while maintaining user trust and regulatory compliance.

2. Scope

This policy applies to all systems, infrastructure, employees, contractors, and third-party services used by BalanceUp and operated by QuailSofts LLC.

3. Core Principles

• Confidentiality: Only authorized users can access sensitive information.
• Integrity: Data must be accurate and protected from unauthorized changes.
• Availability: Systems must be maintained to ensure reliable access to services.

4. Data Security Measures

a. Encryption

• All user data in transit is encrypted using TLS 1.2+.
• Sensitive data at rest is encrypted with AES-256.
• Daily encrypted backups of databases.

b. Authentication & Access Control

• Firebase Authentication secures user sessions and identity.
• All backend APIs require valid Firebase tokens.
• Role-Based Access Control (RBAC) restricts admin and support actions.
• Passwords are hashed using bcrypt with strong salt rounds.

c. Secure APIs

• All APIs enforce authentication, rate limiting, and strict input validation.
• Plaid integration is secured with API keys stored in GCP environment variables.
• OpenAI API for insights is called via secure server-to-server communication.

d. Logging & Monitoring

• Access logs, error logs, and security events are stored securely.
• Continuous monitoring with automated alerts for suspicious or unauthorized activity.
• Audit logs retained for compliance and investigations.

5. Infrastructure Security

a. Hosting (Google Cloud Platform)

• Cloud Run hosts backend services (separate dev and prod instances).
• Cloud SQL (Postgres) with VPC isolation and automated encryption.
• IAM with least-privilege roles to restrict access.
• Regular security patches and daily backups.

b. CI/CD Security

• Source control managed in Bitbucket with branch protection.
• Deployment pipelines use secured environment variables and tokens.
• Peer-reviewed code before deployment to production.

6. User Data Protection

• Users can delete their accounts and data via in-app settings.
• Data retention is governed by the Data Deletion and Retention Policy.
• BalanceUp never sells user data to third parties.
• Plaid-linked financial data is tokenized and never directly exposed to BalanceUp staff.

7. Device & App-Level Security

• Mobile apps enforce SSL certificate pinning to prevent MITM attacks.
• Sensitive local storage (e.g., tokens) is encrypted.
• Jailbreak/root detection flags insecure environments.
• Session timeouts and re-authentication required for sensitive actions.

8. Incident Response

• Incident response plan activates within 24 hours of discovery.
• Users are notified of breaches or incidents within 72 hours.
• Postmortem reports are documented, reviewed, and used to improve security controls.

9. Third-Party Vendor Management

• Vendors (e.g., Plaid, OpenAI, Firebase, GCP) undergo security reviews.
• Only vendors with recognized certifications (SOC 2, ISO 27001, etc.) are engaged.
• Contracts require compliance with GDPR, CCPA, and financial data handling standards.

10. Compliance & Review

• BalanceUp complies with GDPR, CCPA, and App Store/Play Store security requirements.
• Policy is reviewed annually or after major platform updates or incidents.
• Documentation of compliance is maintained for audits and investor transparency.