HouseMunny LogoHouseMunnyBETA

Security Documentation

Last Updated: May 2025

HouseMunny is committed to maintaining the highest standards of security and data protection. This document outlines our comprehensive security controls and policies.

1. Data Encryption Practices

✅ IMPLEMENTED

  • Data in Transit: All communications use TLS 1.2+ encryption
  • Data at Rest: AES-256-GCM encryption for all sensitive data
  • Field-Level Encryption: Personal data, financial information, and API tokens are encrypted at the database level
  • Key Management: Encryption keys are securely managed through environment variables

2. Vulnerability Scanning

✅ IMPLEMENTED

  • Automated Scanning: GitHub Dependabot monitors dependencies for vulnerabilities
  • Regular Audits: Monthly dependency audits using yarn audit
  • Current Status: No critical vulnerabilities detected
  • SLA: Critical vulnerabilities patched within 7 days, moderate within 30 days

3. Zero Trust Architecture

✅ IMPLEMENTED

  • Authentication Required: All application routes require authentication
  • No Hardcoded Secrets: All sensitive data stored in environment variables
  • Database Isolation: Database access restricted to application backend only
  • API Security: Internal APIs protected with bearer token authentication

4. Centralized Identity & Access Management

✅ IMPLEMENTED

  • Single Sign-On: Google OAuth integration for user authentication
  • Password Management: Secure password storage using Firebase Authentication
  • Access Control: Role-based access through centralized user management
  • Session Management: JWT-based sessions with 30-day expiration

5. Secure Tokens and Certificates

✅ IMPLEMENTED

  • OAuth Implementation: Secure OAuth 2.0 flow with Google
  • API Token Security: Plaid access tokens encrypted at rest
  • SSL Certificates: Production database connections use client certificates
  • Two-Factor Authentication: Optional TOTP-based 2FA available for users who choose to enable it

6. Vulnerability Patching SLA

✅ DEFINED

  • Critical Vulnerabilities: Patched within 7 days
  • High Vulnerabilities: Patched within 14 days
  • Medium Vulnerabilities: Patched within 30 days
  • Low Vulnerabilities: Patched within 90 days

7. End-of-Life Software Monitoring

✅ IMPLEMENTED

  • Quarterly Reviews: All dependencies and software versions reviewed quarterly
  • Automated Monitoring: GitHub Dependabot alerts for outdated packages
  • Upgrade Policy: EOL software upgraded within 30 days of identification
  • Current Status: All major dependencies are actively maintained

8. Information Security Policy

✅ ESTABLISHED

  • Data Classification: Financial data classified as highly sensitive
  • Encryption Standards: AES-256 encryption for all sensitive data
  • Access Controls: Principle of least privilege enforced
  • Backup Policy: Automated daily backups with encryption
  • Retention Policy: Data retained per legal requirements and user consent

9. Access Control Policy

✅ IMPLEMENTED

  • User Authentication: Multi-factor authentication available (TOTP-based 2FA optional)
  • Administrative Access: Limited admin roles for currency rate management only
  • API Access: Bearer token authentication for all internal APIs
  • Database Access: Restricted to application layer only
  • Secret Management: All secrets stored in secure environment variables

10. Role-Based Access Control (RBAC)

✅ IMPLEMENTED

  • User Roles: Standard users, admin users with distinct permissions
  • Data Isolation: Users can only access their own financial data
  • Administrative Functions: Restricted to admin role holders
  • API Permissions: Role-based API access controls implemented

11. Periodic Access Reviews

✅ SCHEDULED

  • Quarterly Reviews: All user access and permissions reviewed quarterly
  • Administrative Access: Admin access reviewed monthly
  • Service Accounts: API keys and service accounts audited quarterly
  • Documentation: All access reviews documented and tracked

12. Automated Access Deprovisioning

✅ IMPLEMENTED

  • User Account Deletion: Automated process for user-requested account deletion
  • Session Management: Automatic session expiration and cleanup
  • Access Revocation: Immediate access revocation upon role termination
  • Data Cleanup: Secure data deletion following retention policies

13. AI Usage and Data Protection

✅ IMPLEMENTED

  • Limited AI Integration: OpenAI's API used solely for categorizing Plaid-imported transactions
  • Scope Limitation: AI processing only applies to bank-imported transactions, not manually added ones
  • Data Minimization: Only non-sensitive text data (transaction labels) sent to AI service
  • No Personal Data Sharing: No personal information, financial amounts, or identifiable data transmitted
  • User Control: Users can review and modify any AI-assigned categorization at any time
  • No Profiling: AI is not used for user profiling or automated decision-making with legal effects
  • Transparency: All AI categorizations are clearly visible and editable by users

Contact Us

If you have any questions about this Security Documentation or our security practices, please contact us at: guilherme@housemunny.com