Security Policy

1. Information Security Program

Nora Financial maintains a formal Information Security Policy that governs how we identify, mitigate, and monitor security risks across all systems that store or process consumer data. This program is reviewed annually and updated as our systems and threat landscape evolve.

Our security program covers:

• Risk identification and assessment procedures
• Access control and identity management
• Data encryption (in transit and at rest)
• Vulnerability and patch management
• Incident detection and response
• Vendor and third-party risk management
• Employee security awareness
• Business continuity and disaster recovery

2. Identity and Access Management

2.1 Internal Access Controls

• Least privilege principle: Team members are granted only the minimum access required to perform their job functions. Access is reviewed periodically and revoked upon role change or departure.
• Role-based access control (RBAC): Access to production systems, databases, and cloud infrastructure is controlled through role-based permissions.
• Multi-factor authentication (MFA): MFA is required for all team members accessing production systems, cloud infrastructure (Vercel), source code repositories (GitHub), and any system storing consumer financial data.
• Audit logging: All access to production assets is logged. Logs are retained for a minimum of 90 days.

2.2 Consumer Account Security

• Consumer passwords are hashed using bcrypt with a minimum cost factor of 12
• Multi-factor authentication is available to consumers and strongly recommended
• Session tokens are cryptographically signed (JWT) with 30-day expiry with activity logging
• Account activity notifications are sent for logins from new devices or locations

3. Infrastructure and Network Security

3.1 Data in Transit

• All client-to-server communication is encrypted using TLS 1.2 or higher (TLS 1.3 preferred)
• HTTP Strict Transport Security (HSTS) is enforced on all endpoints
• Certificates are provisioned and auto-renewed through our hosting provider (Vercel)
• Weak cipher suites and deprecated TLS versions (1.0, 1.1) are disabled

3.2 Data at Rest

• Consumer financial data and personally identifiable information (PII) are encrypted at rest using AES-256
• Database encryption is enforced at the storage layer through our managed database provider
• Backups are encrypted using the same standard and stored in geographically separate locations
• We never store bank credentials — financial account linking is handled entirely by Plaid

3.3 Cloud Infrastructure

• Application infrastructure is hosted on Vercel (SOC 2 Type II compliant)
• Network access to databases is restricted by firewall rules (IP allowlisting)
• Production and development environments are strictly separated
• Infrastructure configuration is managed as code and version-controlled

4. Development and Vulnerability Management

4.1 Secure Development Practices

• All code changes are reviewed via pull request before merging to production
• Automated dependency vulnerability scanning (npm audit, Dependabot) runs on every commit
• Security-sensitive code changes undergo additional manual review
• OWASP Top 10 risks are considered during development and code review

4.2 Vulnerability Management

• Dependencies are monitored continuously for known vulnerabilities (CVEs)
• Critical and high severity vulnerabilities are patched within 7 days of discovery
• Medium severity vulnerabilities are addressed within 30 days
• Security patches for the operating system and runtime are applied promptly

5. Incident Response

We maintain an Incident Response Plan that outlines procedures for detecting, containing, investigating, and recovering from security incidents. In the event of a data breach:

• Affected consumers will be notified within 72 hours of discovery (or as required by applicable law)
• Notifications will describe the nature of the incident, data involved, and steps taken
• Regulatory notifications will be made as required by applicable data protection laws
• A post-incident review will be conducted to prevent recurrence

6. Third-Party and Vendor Security

All third-party service providers with access to consumer data are evaluated for security posture before engagement and are bound by data processing agreements (DPAs). Key partners include:

• Plaid Technologies, Inc. — PCI DSS compliant, SOC 2 Type II certified financial data connectivity provider
• Vercel, Inc. — SOC 2 Type II certified cloud hosting provider

7. Privacy and Data Governance

Our data governance practices are detailed in our Privacy Policy, including:

• Data collection and use limitations (data minimization)
• Defined retention periods and secure deletion procedures
• Consumer rights (access, correction, deletion, portability)
• Explicit consent obtained before processing financial data through Plaid Link
• Annual review of retention and deletion policies

8. Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities. If you discover a security issue, please report it to us privately before public disclosure: