[{"data":1,"prerenderedAt":477},["ShallowReactive",2],{"\u002Fsecurity":3},{"id":4,"title":5,"body":6,"description":469,"extension":470,"meta":471,"navigation":472,"path":473,"seo":474,"stem":475,"__hash__":476},"content\u002Fsecurity.md","Information Security Policy",{"type":7,"value":8,"toc":448},"minimark",[9,13,32,43,46,51,54,67,70,72,76,106,108,112,117,124,128,148,152,166,168,172,202,204,208,227,229,233,282,284,288,291,317,320,322,326,334,336,340,343,376,386,388,392,400,402,406,425,427,431,438,440],[10,11,5],"h1",{"id":12},"information-security-policy",[14,15,16,20,21,20,24,27,28,31],"p",{},[17,18,19],"strong",{},"Effective date:"," 12 June 2026\n",[17,22,23],{},"Last updated:",[17,25,26],{},"Owner:"," Founder & Security Lead, BMRTECKBUSINESS LLC\n",[17,29,30],{},"Review cadence:"," at least annually, and after any significant change or incident.",[14,33,34,35,38,39,42],{},"This document describes the information security program for ",[17,36,37],{},"BMRTECKBUSINESS LLC"," and the ",[17,40,41],{},"Piggy"," application (\"the App\"). It governs how we protect our systems and the data of our users.",[44,45],"hr",{},[47,48,50],"h2",{"id":49},"_1-purpose-and-scope","1. Purpose and scope",[14,52,53],{},"The purpose of this policy is to protect the confidentiality, integrity, and availability of:",[55,56,57,61,64],"ul",{},[58,59,60],"li",{},"User personal data and bank-connection credentials;",[58,62,63],{},"Our production systems, source code, and infrastructure;",[58,65,66],{},"Third-party integrations (financial data providers, payments, messaging).",[14,68,69],{},"It applies to all personnel, contractors, systems, and environments (development, staging, production) operated by us.",[44,71],{},[47,73,75],{"id":74},"_2-security-principles","2. Security principles",[55,77,78,88,94,100],{},[58,79,80,83,84,87],{},[17,81,82],{},"Data minimization."," We collect and retain the least data necessary. We ",[17,85,86],{},"do not store"," user transactions, balances, incomes, or expenses on our servers — financial data is retrieved on demand and delivered to the user's device.",[58,89,90,93],{},[17,91,92],{},"Least privilege."," Access to systems and data is granted only as needed to perform a task.",[58,95,96,99],{},[17,97,98],{},"Defense in depth."," We layer controls (network, application, data, identity).",[58,101,102,105],{},[17,103,104],{},"Secure by default."," New systems and code follow secure configuration and review practices.",[44,107],{},[47,109,111],{"id":110},"_3-data-protection","3. Data protection",[113,114,116],"h3",{"id":115},"_31-encryption-in-transit","3.1 Encryption in transit",[14,118,119,120,123],{},"All communication between the App, our backend, and third-party providers is encrypted using ",[17,121,122],{},"TLS 1.2 or higher",". Public traffic is delivered over HTTPS via Cloudflare.",[113,125,127],{"id":126},"_32-encryption-at-rest","3.2 Encryption at rest",[55,129,130,141],{},[58,131,132,133,136,137,140],{},"Bank ",[17,134,135],{},"access tokens"," are encrypted at rest using ",[17,138,139],{},"AES-256-GCM"," before being written to the database. They are never returned in API responses.",[58,142,143,144,147],{},"Encryption keys are stored as secrets in our deployment environment, ",[17,145,146],{},"never"," committed to source control, and rotated when warranted.",[113,149,151],{"id":150},"_33-data-we-do-and-do-not-store","3.3 Data we do and do not store",[55,153,154,160],{},[58,155,156,159],{},[17,157,158],{},"Stored (minimal):"," account identifier, encrypted bank access token, institution name\u002FID, connection status, subscription\u002Fentitlement state, device push tokens.",[58,161,162,165],{},[17,163,164],{},"Not stored:"," online banking credentials (never seen by us), bank transactions, balances, incomes, expenses, or other retrieved financial detail.",[44,167],{},[47,169,171],{"id":170},"_4-identity-and-access-management","4. Identity and access management",[55,173,174,184,190,196],{},[58,175,176,179,180,183],{},[17,177,178],{},"Multi-factor authentication (MFA)"," is required on all critical administrative systems (source control, cloud\u002Fhosting, DNS\u002Fnetwork, payments, and the Plaid dashboard). We prefer ",[17,181,182],{},"phishing-resistant"," MFA (passkeys \u002F hardware keys \u002F biometrics) where available.",[58,185,186,189],{},[17,187,188],{},"Role-based access control (RBAC)"," governs access to production systems and the database.",[58,191,192,195],{},[17,193,194],{},"Centralized identity"," (SSO) is used for administrative tooling where supported.",[58,197,198,201],{},[17,199,200],{},"Periodic access reviews"," are performed to confirm access remains appropriate; access is revoked promptly when no longer required.",[44,203],{},[47,205,207],{"id":206},"_5-infrastructure-and-network-security","5. Infrastructure and network security",[55,209,210,217,224],{},[58,211,212,213,216],{},"Production services run in isolated containers; the database is ",[17,214,215],{},"not exposed to the public internet"," and is reachable only within the internal network.",[58,218,219,220,223],{},"Public ingress is fronted by ",[17,221,222],{},"Cloudflare",", providing TLS termination and network protection.",[58,225,226],{},"Secrets and credentials are managed through environment-level secret storage, not in code.",[44,228],{},[47,230,232],{"id":231},"_6-secure-development-and-vulnerability-management","6. Secure development and vulnerability management",[55,234,235,246,256,262,268],{},[58,236,237,240,241,245],{},[17,238,239],{},"Dependency scanning:"," automated vulnerability scanning of backend dependencies (e.g. ",[242,243,244],"code",{},"govulncheck"," and Dependabot) is enabled.",[58,247,248,251,252,255],{},[17,249,250],{},"Patching SLA:"," identified vulnerabilities are remediated within a defined timeframe — ",[17,253,254],{},"critical within 7 days",", high within 30 days, others as prioritized.",[58,257,258,261],{},[17,259,260],{},"End-of-life monitoring:"," we track runtime, base image, and dependency versions and address end-of-life software.",[58,263,264,267],{},[17,265,266],{},"Code review:"," changes are reviewed before deployment to production.",[58,269,270,273,274,277,278,281],{},[17,271,272],{},"Secrets hygiene:"," ",[242,275,276],{},".env"," and credential files are excluded from source control via ",[242,279,280],{},".gitignore",".",[44,283],{},[47,285,287],{"id":286},"_7-third-party-vendor-security","7. Third-party \u002F vendor security",[14,289,290],{},"We rely on reputable providers and review their security posture:",[55,292,293,299,305,311],{},[58,294,295,298],{},[17,296,297],{},"Financial data providers:"," Plaid.",[58,300,301,304],{},[17,302,303],{},"Infrastructure:"," our server host and Cloudflare.",[58,306,307,310],{},[17,308,309],{},"Payments:"," RevenueCat and the Apple App Store \u002F Google Play.",[58,312,313,316],{},[17,314,315],{},"Messaging:"," Google Firebase.",[14,318,319],{},"We integrate using least-privilege credentials and the providers' recommended security practices.",[44,321],{},[47,323,325],{"id":324},"_8-logging-and-monitoring","8. Logging and monitoring",[55,327,328,331],{},[58,329,330],{},"Application and access logs are retained to support operations, troubleshooting, and incident investigation.",[58,332,333],{},"Logs are scoped to avoid storing sensitive financial data.",[44,335],{},[47,337,339],{"id":338},"_9-incident-response","9. Incident response",[14,341,342],{},"In the event of a suspected security incident or data breach:",[344,345,346,352,358,364,370],"ol",{},[58,347,348,351],{},[17,349,350],{},"Contain"," — isolate affected systems and revoke compromised credentials\u002Fkeys.",[58,353,354,357],{},[17,355,356],{},"Assess"," — determine scope, root cause, and data impact.",[58,359,360,363],{},[17,361,362],{},"Remediate"," — patch, rotate secrets, and restore secure operation.",[58,365,366,369],{},[17,367,368],{},"Notify"," — inform affected users and relevant authorities\u002Fpartners (including Plaid) as required by law and contract, without undue delay.",[58,371,372,375],{},[17,373,374],{},"Review"," — conduct a post-incident review and update controls.",[14,377,378,379,281],{},"Security concerns can be reported to ",[17,380,381],{},[382,383,385],"a",{"href":384},"mailto:contact@bmrteck.com","contact@bmrteck.com",[44,387],{},[47,389,391],{"id":390},"_10-business-continuity","10. Business continuity",[55,393,394,397],{},[58,395,396],{},"Database backups are performed and access to restore is restricted.",[58,398,399],{},"Critical configuration and secrets are recoverable through our secret-management process.",[44,401],{},[47,403,405],{"id":404},"_11-responsibilities-and-review","11. Responsibilities and review",[55,407,408,415,422],{},[58,409,410,411,414],{},"The ",[17,412,413],{},"Founder & Security Lead"," owns this policy and the security program.",[58,416,417,418,421],{},"This policy is reviewed ",[17,419,420],{},"at least annually"," and after material changes or incidents.",[58,423,424],{},"All personnel and contractors are expected to follow it.",[44,426],{},[47,428,430],{"id":429},"_12-remediation-commitment-plaid","12. Remediation commitment (Plaid)",[14,432,433,434,437],{},"We commit to remediating any security gaps identified by our partners, including ",[17,435,436],{},"Plaid",", within a reasonable timeframe as part of ongoing security diligence.",[44,439],{},[14,441,442,273,445,447],{},[17,443,444],{},"Contact:",[382,446,385],{"href":384}," · BMRTECKBUSINESS LLC",{"title":449,"searchDepth":450,"depth":450,"links":451},"",2,[452,453,454,460,461,462,463,464,465,466,467,468],{"id":49,"depth":450,"text":50},{"id":74,"depth":450,"text":75},{"id":110,"depth":450,"text":111,"children":455},[456,458,459],{"id":115,"depth":457,"text":116},3,{"id":126,"depth":457,"text":127},{"id":150,"depth":457,"text":151},{"id":170,"depth":450,"text":171},{"id":206,"depth":450,"text":207},{"id":231,"depth":450,"text":232},{"id":286,"depth":450,"text":287},{"id":324,"depth":450,"text":325},{"id":338,"depth":450,"text":339},{"id":390,"depth":450,"text":391},{"id":404,"depth":450,"text":405},{"id":429,"depth":450,"text":430},"Effective date: 12 June 2026\nLast updated: 12 June 2026\nOwner: Founder & Security Lead, BMRTECKBUSINESS LLC\nReview cadence: at least annually, and after any significant change or incident.","md",{},true,"\u002Fsecurity",{"title":5,"description":469},"security","_E-KXGOKXVfo8_Kk4i9GCf7-exIlze4KFXCZFD_gLRw",1781736228986]