Security Contact

Information Security Policy

Famodular maintains a comprehensive information security program designed to identify, mitigate, and monitor information security risks relevant to our business. Our security practices include:

Identity and Access Management

• Role-Based Access Control (RBAC): Access to production assets is restricted based on user roles. Database access uses Row-Level Security (RLS) policies to ensure users can only access their own data.
• Multi-Factor Authentication (MFA): TOTP-based two-factor authentication is available for all consumer accounts. MFA is required for access to critical systems that store or process consumer financial data.
• Session Management: JWT-based sessions with httpOnly, secure cookies, 30-day expiration, and automatic token refresh.
• Password Security: All passwords are hashed using bcrypt with appropriate salt rounds. Minimum password length of 6 characters is enforced.

Infrastructure and Network Security

• Encryption in Transit: All data is transmitted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a max-age of 2 years, including subdomains, with preload enabled.
• Encryption at Rest: Consumer financial data received from the Plaid API is encrypted at rest using AES-256-GCM encryption. This includes Plaid access tokens, calendar credentials, and other sensitive credentials.
• Content Security Policy: Strict CSP headers are enforced to prevent XSS attacks, clickjacking, and other injection-based vulnerabilities.
• Security Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers are set on all responses.
• Database Security: Data is hosted on Supabase with automatic backups, point-in-time recovery, and network-level isolation. Row-Level Security (RLS) is enabled on all tables containing user data.

Development and Vulnerability Management

• Dependency Scanning: Regular npm audit scans are performed to detect and patch known vulnerabilities in third-party dependencies.
• Code Review: All code changes undergo review before deployment to production.
• Secure Development: We follow secure coding practices including input validation, parameterized queries (via Supabase client), and principle of least privilege.
• Environment Separation: Development, staging, and production environments are kept separate with distinct credentials and configurations.

Data Protection

• Data Minimization: We only collect data necessary to provide our services.
• Data Retention: User data is retained only as long as the account is active. Financial transaction data is retained for up to 24 months. Security logs are retained for 90 days. Deleted content is permanently removed within 30 days.
• Data Deletion: Users can delete their account at any time, which triggers permanent deletion of all associated data including revocation of third-party connections (Plaid).
• Data Portability: Users can export all their data in JSON format at any time through the account settings.
• Third-Party Security: Financial data is accessed through Plaid, which maintains SOC 2 Type II certification. Plaid access tokens are encrypted before storage and never exposed in API responses.

Incident Response

In the event of a data breach or security incident, we will:

• Investigate and contain the incident promptly
• Notify affected users within 72 hours of discovery
• Report to relevant regulatory authorities as required by law
• Take remediation steps to prevent recurrence
• Maintain an incident log for review and continuous improvement

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it to us at gabrieljosevalerio1@gmail.com. We ask that you:

• Give us reasonable time to address the issue before public disclosure
• Do not access or modify other users' data
• Act in good faith to avoid degradation of our services