Security Policy

Last Updated: February 3, 2026

Your financial data security is our top priority. This page outlines the security measures we implement to protect your information.

1. Encryption

Data In Transit
  • TLS 1.3 encryption
  • All API calls encrypted
  • Tailscale WireGuard VPN
Data At Rest
  • AES-128 encryption for sensitive fields
  • Plaid tokens encrypted
  • Full-disk encryption (FileVault)

2. Authentication & Access Control

  • Password Security: PBKDF2-SHA256 with 320,000 iterations
  • Multi-Factor Authentication: TOTP-based 2FA available
  • Session Management: 1-hour timeout, secure cookies
  • Login Monitoring: Real-time alerts for all login events
  • CSRF Protection: Enabled on all forms

3. Plaid Integration Security

We never see your bank credentials.
  • Authentication handled directly by Plaid
  • We only receive read-only access tokens
  • Tokens encrypted with AES-128 before storage
  • Cannot initiate transactions or transfers
  • You can revoke access anytime

4. OWASP Top 10 Protections

Vulnerability Protection
SQL InjectionParameterized queries (Django ORM)
XSSTemplate auto-escaping
CSRFDjango CSRF middleware
Broken AuthMFA, session management
Sensitive DataField-level encryption
Security MisconfigHardened settings

5. Incident Response

In the event of a security incident:

  • Immediate containment and investigation
  • Affected users notified within 72 hours
  • Plaid notified immediately
  • Post-incident review and improvements

6. Your Security Responsibilities

  • Use a strong, unique password
  • Enable two-factor authentication
  • Don't share your login credentials
  • Log out when using shared devices
  • Report suspicious activity immediately

7. Report a Vulnerability

If you discover a security vulnerability, please report it responsibly:

  • Email: support@fintrackgo.com
  • Include detailed steps to reproduce
  • We will acknowledge within 24 hours

Full security documentation available upon request for compliance purposes.