Information Security Policy

This Information Security Policy (the “policy”) describes how Zands HQ protects, accesses, and operates the data entrusted to it across all of its applications, including Financial Freedom and Peace of Mind.

This policy covers:

• The Zands HQ web applications and the source code behind them.
• The third-party platforms used to operate them: GitHub (source control), Vercel (hosting), Supabase (database), Plaid (financial data), Anthropic (AI categorization).
• The accounts and credentials used to administer those platforms.

Zands HQ classifies data into three tiers and applies controls appropriate to each:

Sensitive

Financial data sourced through Plaid: account and institution metadata, balances, transactions, and credit-card liability details. Treated as confidential. Access is restricted to the authenticated account owner and the operator.

Secret

Application secrets used to operate the system: API keys, the JWT signing key, database credentials, and any third-party certificates or tokens. Stored only in encrypted environment variables on Vercel; never in source control.

Internal

Operational metadata: deploy logs, build artifacts, and non-sensitive configuration. Treated as internal but not secret.

Production systems are accessed only by the operator of Zands HQ. Each provider account (GitHub, Vercel, Supabase, Plaid, Anthropic, GoDaddy) is authenticated through that provider’s login flow. The operator has multi-factor authentication enabled on every provider account that supports it.

Application access by end users is gated by a password and a signed session cookie. Sessions expire after seven days. There are no shared credentials between users, and no persistent admin accounts beyond the operator’s own.

• In transit: all connections between browsers, our servers, and our vendors use HTTPS with TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on the production domain.
• At rest:Supabase encrypts database storage using AES-256 by default. Plaid access tokens live in this encrypted storage and are accessible only to the application’s service-role connection and the operator.
• Application secrets: stored as encrypted environment variables on Vercel; never committed to source control.
• Sessions: browser sessions are HMAC-SHA256 signed JWTs.

Zands HQ relies on the following third-party providers, each responsible for the security of its own platform under its own published security commitments:

• Plaid— financial-data aggregation. Plaid is the source of bank account, transaction, and liability data; users authenticate to their banks through Plaid’s Link UI.
• Supabase — Postgres database hosting with encryption at rest and rolling backups.
• Vercel — application hosting, edge network, encrypted environment variables, and automatic TLS certificate issuance.
• Anthropic — AI inference for transaction-categorization suggestions. Receives only merchant descriptions, never financial values or account identifiers.
• GitHub — private source-control hosting and Dependabot vulnerability alerts.
• GoDaddy — domain registrar. Holds no production data.

Application dependencies are managed via npm and pinned in package-lock.json. GitHub Dependabot is enabled and notifies the operator of vulnerable dependencies. Security-relevant updates are reviewed and applied on a best-effort basis.

If a security incident is suspected — for example a credential leak, an unauthorized access attempt, or an exploited vulnerability — the operator will:

1. Identify and contain the issue.
2. Revoke any compromised credentials within 24 hours of identification.
3. Notify affected users by email within 72 hours of confirming the incident.
4. Document the incident and the corrective action taken.

Vulnerability reports may be sent to support@therichlife.com.

Account, transaction, and liability data is retained for as long as the corresponding Plaid connection is active. When a user disconnects an account, the associated Plaid access token is revoked at Plaid and the related records are deleted from our database within 24 hours. Backups are retained per Supabase’s standard backup policy.

See the privacy policy for the user-facing description of these practices.

Zands HQ has no employees and no contractors today. If this changes, anyone granted production access will be required to use multi-factor authentication, will receive only the permissions necessary for their work, and will be deprovisioned when the engagement ends.

This policy is reviewed at least once per year, and whenever a material change occurs to the application, its data flows, or its vendors. The “Last updated” date at the top reflects the most recent revision.

Questions about this policy or about the security of Zands HQ: support@therichlife.com.