This policy establishes the information security requirements for HAMRR ("the Service"), a real estate development and property management SaaS platform operated by Iway Development. It defines controls to protect the confidentiality, integrity, and availability of customer data, including financial data received from third-party integrations such as Plaid.
This policy applies to all production systems, data stores, APIs, serverless functions, and administrative access associated with HAMRR. This includes application infrastructure (Vercel, Supabase), third-party integrations (Plaid, Stripe, WorkOS, Anthropic), and all personnel with access to production systems.
The designated security contact is responsible for: maintaining this policy; monitoring security events; coordinating incident response; conducting periodic access reviews; and managing vulnerability remediation.
Risk assessments are conducted quarterly and upon material changes to infrastructure, integrations, or data handling practices. Assessments evaluate threats to consumer financial data, authentication systems, and data storage.
This policy is reviewed and updated at minimum annually, or upon: material infrastructure changes; new third-party integrations handling financial data; security incidents; or changes to regulatory requirements.
| Control | Implementation |
|---|---|
| Password hashing | bcrypt with 12 rounds, auto-migration from legacy |
| Multi-factor authentication | TOTP-based 2FA with backup codes. Required before accessing Plaid bank linking. |
| Session management | JWT with 24-hour expiry, 5-minute validation polling, 3-strike logout |
| Brute force protection | 10 login attempts per 15 minutes per IP, Cloudflare Turnstile CAPTCHA |
| Midnight session expiry | All sessions terminate at midnight for security hygiene |
| System | Control |
|---|---|
| Vercel (hosting) | MFA-protected account, SSO where available |
| Supabase (database) | MFA-protected account, role-based RLS policies |
| GitHub (source code) | MFA-protected account, branch protections on main |
| Plaid Dashboard | MFA-protected account |
| Stripe Dashboard | MFA-protected account |
The application enforces role-based access at both the API and UI level. Roles: Superadmin, Admin, Manager, Editor, Viewer. Tenant isolation is enforced via JWT claims — each tenant's data key is resolved from the JWT, preventing cross-tenant access at the API layer.
Access reviews are conducted quarterly via the built-in Audit Log (Settings → Audit Log). Reviews verify active users, role assignments, and last activity timestamps. Inactive accounts are deactivated after 90 days.
All client-server communication uses TLS 1.2 or higher, enforced by Vercel's edge network and Cloudflare. API endpoints reject non-HTTPS connections. Supabase connections use TLS-encrypted PostgreSQL.
| Data Type | Encryption |
|---|---|
| Plaid access tokens | AES-256-CBC with per-deployment encryption key |
| API keys (Anthropic, etc.) | AES-256-CBC with per-deployment encryption key |
| Database (Supabase) | AWS-managed encryption at rest (AES-256) |
| Passwords | bcrypt (12 rounds) — not reversible |
| Consumer bank account numbers | Not stored. Only last 4 digits retained for display. |
All API endpoints enforce CORS restricted to the production domain (hamrr.com). No wildcard origins. JWT required on every endpoint except CAPTCHA verification and Stripe webhooks (which use Stripe signature verification).
| Endpoint | Limit |
|---|---|
| Login | 10 / 15 minutes |
| Signup | 5 / hour |
| Data save | 120 / hour |
| AI chat | 60 / hour |
| Plaid operations | 60 / hour |
| Data deletion | 10 / hour |
All code changes are committed to a version-controlled repository (GitHub). Dependencies are audited via npm audit before each deployment. Known vulnerabilities are patched within the following SLAs:
| Severity | Patch SLA |
|---|---|
| Critical | 24 hours |
| High | 7 days |
| Medium | 30 days |
| Low | Next release cycle |
Automated dependency scanning (npm audit) is performed before each deployment. Production assets (serverless functions on Vercel) are patched via dependency updates. Infrastructure vulnerabilities are managed by platform providers (Vercel, Supabase, Cloudflare).
| Classification | Examples | Controls |
|---|---|---|
| Highly Sensitive | Plaid access tokens, encryption keys, passwords | Encrypted at rest, never logged, never exposed to client |
| Sensitive | Bank transactions, balances, account numbers, tenant PII | Encrypted at rest, access-controlled, audit-logged |
| Internal | Project data, milestones, budgets | Tenant-isolated, access-controlled |
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Bank transactions | 2 years | Automated purge via retention endpoint |
| Audit logs | 7 years | Automated purge |
| Plaid access tokens | Until disconnect | Immediate deletion on disconnect + Plaid item removal |
| Deleted user accounts | 30-day grace period | Full purge after grace period |
| Active account data | Duration of account | Full deletion on account closure |
Users may request deletion of: their financial data (bank connections, transactions); or their entire account. Financial data deletion immediately disconnects Plaid items and purges stored tokens and transactions. Account deletion enters a 30-day grace period before full purge. All deletion actions are audit-logged.
Users may export their data at any time via Settings → Export (CSV/JSON) or via the data export API. Exports include project data, contact data, and financial summaries (transaction detail excluded from bulk export for security).
Plaid access tokens are encrypted at rest (AES-256-CBC). Consumer bank credentials are never transmitted to or stored by HAMRR — authentication occurs entirely within Plaid's secure Link widget. Transaction data is synced via Plaid's incremental sync API and subject to the retention policy above.
Payment processing is delegated to Stripe. HAMRR does not store, process, or transmit credit card numbers. Webhook integrity is verified via Stripe signature verification.
Data is stored in Supabase's managed PostgreSQL on AWS infrastructure, with encryption at rest and in transit. Row-level security policies enforce tenant isolation.
Security events are detected via: the built-in audit trail (dual-write to Supabase + API); error boundary crash logging; rate limit triggers; and failed authentication monitoring.
Upon detection of a security incident: (1) Contain — revoke compromised tokens, rotate secrets; (2) Assess — determine scope of data affected; (3) Notify — inform affected users within 72 hours; (4) Remediate — patch vulnerability, deploy fix; (5) Review — conduct post-incident review and update this policy if needed.
In the event of a data breach involving consumer financial data, affected consumers and Plaid will be notified within 72 hours. Notification will include: nature of the breach; data types affected; remediation steps taken; and consumer protective measures.
This policy supports compliance with: Plaid's security requirements for production API access; applicable state and federal data privacy laws (CCPA, state breach notification laws); and PCI DSS requirements (delegated to Stripe for payment processing).
Document Version 1.0 — March 2026 — Next Review: June 2026