FolioTalk Information Security Policy (ISP)
Effective Date: February 21, 2026
Last Updated: February 21, 2026
1. Purpose
This Information Security Policy establishes the security standards, practices, and responsibilities for FolioTalk to protect the confidentiality, integrity, and availability of user data and system resources.
2. Scope
This policy applies to all systems, data, and personnel involved in the development, deployment, and operation of FolioTalk, including:
- Production and staging environments
- Source code repositories
- Third-party service integrations (Plaid, Google OAuth)
- All team members and contractors with system access
3. Data Classification
| Classification |
Description |
Examples |
Handling Requirements |
| Confidential |
Sensitive financial and authentication data |
Plaid access tokens, user financial holdings, JWT signing keys |
Encrypted at rest and in transit; access restricted to production systems only |
| Internal |
Operational data not meant for public disclosure |
Server logs, API keys, database credentials |
Access restricted to authorized personnel; not shared externally |
| Public |
Information intended for public access |
Privacy policy, marketing content, public documentation |
No special handling required |
4. Encryption Standards
4.1 Data in Transit
- All network communication uses TLS 1.2 or higher
- HTTP Strict Transport Security (HSTS) is enabled
- API endpoints are HTTPS-only; HTTP requests are redirected to HTTPS
4.2 Data at Rest
- Plaid access tokens are encrypted before storage in the database
- Database backups are encrypted
- Encryption keys are managed through the cloud provider's key management service (KMS)
4.3 Key Management
- Encryption keys are stored separately from encrypted data
- Keys are rotated at least annually
- Access to key management systems is restricted to authorized personnel
5. Authentication and Authorization
5.1 User Authentication
- Users authenticate via Google OAuth 2.0 (delegated to Google's identity platform)
- Sessions are managed via short-lived JWT tokens (24-hour expiry)
- No passwords are stored by FolioTalk
5.2 System Authentication
- All third-party API credentials (Plaid, Google) are stored as environment variables or in a secrets management service
- API keys are never committed to source code repositories
- Service-to-service communication uses API keys or OAuth tokens
5.3 Authorization
- API endpoints enforce authentication via middleware (
get_current_user() dependency)
- Users can only access their own data; all queries are scoped by
user_id
- Administrative access to production systems follows the principle of least privilege
6. Infrastructure Security
6.1 Production Environment
- Production infrastructure is hosted on a managed cloud platform
- Network access is restricted via firewall rules (only ports 80/443 exposed)
- SSH access to production servers requires key-based authentication
- Production environment is isolated from development/staging
6.2 Dependency Management
- Third-party dependencies are pinned to specific versions
- Dependencies are reviewed for known vulnerabilities before updates
- Unused dependencies are removed promptly
6.3 Source Code Security
- Source code is stored in a private repository
- Code changes require review before merging to the main branch
- Secrets scanning is enabled to prevent accidental credential commits
7. Incident Response
7.1 Incident Classification
| Severity |
Description |
Examples |
Response Time |
| Critical |
Active data breach or system compromise |
Unauthorized access to user data, exposed credentials |
Immediate (within 1 hour) |
| High |
Potential security vulnerability actively exploited |
Suspicious API activity, authentication bypass |
Within 4 hours |
| Medium |
Security vulnerability identified but not exploited |
Dependency vulnerability, misconfiguration |
Within 24 hours |
| Low |
Minor security improvement needed |
Log verbosity, non-critical hardening |
Within 1 week |
7.2 Incident Response Procedure
- Detection: Identify and confirm the incident through monitoring, alerts, or reports
- Containment: Isolate affected systems to prevent further damage
- Assessment: Determine the scope, impact, and root cause
- Notification:
- Affected users are notified within 72 hours of confirmed data breach
- Plaid is notified per contractual obligations
- Regulatory authorities are notified as required by law
- Remediation: Fix the root cause and restore affected systems
- Post-Incident Review: Document lessons learned and update security practices
7.3 Plaid-Specific Incident Response
- If Plaid access tokens are compromised, immediately revoke all affected tokens via the Plaid API
- Notify Plaid's security team
- Force re-authentication for affected users
8. Vulnerability Management
- Dependencies are monitored for known vulnerabilities (e.g., via GitHub Dependabot or similar)
- Critical vulnerabilities are patched within 48 hours of discovery
- Regular security reviews of application code are conducted
- Penetration testing is conducted at least annually (or before major releases)
9. Backup and Recovery
- Database backups are performed daily
- Backups are encrypted and stored in a separate location from primary data
- Recovery procedures are tested at least annually
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 24 hours
10. Security Awareness
- All team members are required to understand and follow this policy
- Security best practices are documented and reviewed during onboarding
- Policy is reviewed and updated at least annually
11. Compliance
FolioTalk commits to:
- Plaid's security requirements for production data access
- Applicable data protection regulations
- Industry-standard security practices
12. Policy Review
This policy is reviewed and updated:
- At least annually
- After any security incident
- When significant changes to the system architecture are made
13. Contact
Report security concerns or incidents to:
- Email: hello@folio.talk