This Information Security Policy establishes the security practices and controls for Money Ball, a mobile personal finance application. It applies to all systems, data, and processes involved in the development, operation, and maintenance of the Money Ball application and its backend infrastructure.
Money Ball is currently developed and operated by a single individual:
Ben Gillen is solely responsible for all information security decisions, implementation, monitoring, and incident response. This policy is reviewed at least annually and updated as the organization grows.
Access to production systems, infrastructure, and sensitive data is restricted to authorized personnel only. As a single-developer organization, access is inherently limited to the Founder. No third-party contractors or employees currently have access to production systems.
Access is granted only to the systems and data necessary to perform a given function. External services (e.g., Plaid, cloud hosting providers) are granted only the minimum required permissions via scoped API keys.
MFA is enforced on all administrator and developer accounts that have access to critical systems, including:
| Classification | Description | Examples |
|---|---|---|
| Confidential | Sensitive consumer financial data | Bank account data, transaction history, Plaid tokens |
| Internal | Operational data | App analytics, logs |
| Public | Publicly available | Marketing materials, privacy policy |
All data transmitted between the Money Ball mobile application and backend servers is encrypted using TLS 1.2 or higher. All API calls to third-party services (including Plaid) are made over HTTPS.
Consumer financial data received from the Plaid API is encrypted at rest using AES-256 encryption provided by the managed database/cloud service in use. Database-level encryption is enabled for all data stores containing consumer financial information.
Third-party services used by Money Ball are evaluated for security practices prior to integration. Current integrations include:
Dependencies are regularly audited using npm audit to identify and remediate known vulnerabilities in third-party packages. Critical vulnerabilities are patched promptly upon discovery.
All production code changes are manually reviewed and tested against a staging environment prior to production release.
The application is tested for common vulnerabilities (OWASP Top 10) during development and prior to each release, with focus on injection attacks, authentication weaknesses, and insecure data exposure.
In the event of a suspected or confirmed security incident:
Security contact: gillen.ben3@gmail.com
Consumer data is retained only as long as necessary to provide the Money Ball service. Upon account deletion, consumer data is purged from production systems within 30 days. Full retention practices are described in the Money Ball Privacy Policy and Data Retention Policy.
Development work is performed on password-protected devices with full-disk encryption enabled. Devices are locked when unattended.
This policy is reviewed annually or whenever significant changes occur to the application, infrastructure, or regulatory environment. Updates are documented with a revised effective date.