Information Security Policy

Effective Date: April 23, 2026

1. Purpose

This Information Security Policy (ISP) establishes the security framework for VaultKeeper to protect the confidentiality, integrity, and availability of all information assets: consumer financial data entered manually or imported via Plaid / Teller, subscription state managed by RevenueCat and Apple, AI chat context sent to Anthropic, and operational metadata in Firebase and Cloudflare.

2. Scope

This policy applies to all systems, services, and personnel involved in the development, deployment, and operation of VaultKeeper, including cloud infrastructure, third-party integrations, client applications (iOS native + web PWA), and data processing activities.

3. Security Principles

• Least Privilege: Access to systems and data is granted on a need-to-know basis with minimum necessary permissions. Bank connection operations are restricted to the household owner.
• Defense in Depth: Multiple layers of security controls — Firebase rules, Worker-level auth, service-account token exchange, and client-side gates — protect against threats at each level.
• Zero Trust: No implicit trust is granted based on network location. All API requests verify Firebase ID tokens; subscription state is never trusted from the client. See our Zero Trust Policy.
• Encryption by Default: All data in transit uses TLS 1.2+. Data at rest is encrypted by the underlying managed service (Firebase, Cloudflare KV, GCS backup bucket).
• Server as source of truth for entitlement: The client never writes to the subscription node. Webhook-authenticated server paths are the only writers.

4. Authentication and Access Control

Multi-factor authentication (MFA) is required on all administrative accounts: Apple Developer, App Store Connect, Firebase Console, Cloudflare Dashboard, RevenueCat Dashboard, Anthropic Console. Role-based access control (RBAC) governs access to production systems and third-party service dashboards. See our Access Control Policy for details.

End-user authentication is handled by Firebase Auth (email/password, Google, or Apple Sign-In) with optional app-level TOTP two-factor authentication and passcode / Face ID / Touch ID device-level lock.

5. Data Protection

5.1 Consumer data tiering

• Confidential — bank access tokens (Plaid / Teller), API secrets (Anthropic key, RevenueCat webhook secret, Firebase service-account JSON), authentication credentials, TOTP secrets, app-lock passcodes.
• Sensitive — transaction data, account balances, user financial information, household membership.
• Internal — application configuration, deployment settings, Worker env vars.
• Public — published policies, shared-wallet mirror pages (world-readable by design with user-controlled revocation), application UI assets.

5.2 Bank data (Plaid / Teller)

Bank access tokens are stored exclusively in Cloudflare Workers KV with encryption at rest and are never exposed to client-side code. Firebase Security Rules enforce per-user isolation on bankMappings, tightening to $uid === auth.uid for both read and write so household members cannot touch the owner's bank configuration. Teller production traffic uses mutual TLS (mTLS) certificate binding in the Worker.

5.3 Subscription state

The users/{uid}/subscription Firebase node is the single source of truth for premium entitlement. It is locked to admin-only writes via .validate: false; authenticated clients cannot self-grant premium. Writes come only from:

• RevenueCat's webhook, verified by shared secret against REVENUECAT_WEBHOOK_SECRET, then writing via Firebase Admin REST with a service-account-signed JWT.
• Apple's App Store Server Notifications V2, verified by validating the JWS signature against the leaf X.509 certificate from the notification header, then writing through the same service-account path.
• Firebase Console manual edits (admin override isPremiumOverride).

Both webhook paths use constant-time string comparison for secret verification to prevent timing attacks.

5.4 AI chat

VaultKeeper AI is consent-gated at the per-user level. Before any data is sent to Anthropic:

• Server verifies the caller's Firebase ID token.
• Server verifies the caller is premium (effectivelyPremium).
• Server enforces the monthly cap (100 messages / user / UTC month) and per-minute burst cap (10 messages / minute).
• Client builds a sanitized context that explicitly excludes user IDs, bank token fingerprints, household emails, and share tokens.
• Anthropic's API is invoked with cache_control: ephemeral on the context block to reduce token cost. Anthropic retains API payloads for up to 30 days for trust & safety and does not use them for training.

5.5 Credential management

API keys, secrets, and tokens are managed through Cloudflare Workers secrets (not environment variables). No credentials are committed to source code. Firebase service-account JSON is kept exclusively as a Wrangler secret and never lands in git or the repo. The RevenueCat public API key ships in the client binary (safe by design; the corresponding private key lives only on the Worker side). Secrets are rotated on discovery of potential exposure or as part of scheduled reviews.

6. Infrastructure Security

• Application hosted on Cloudflare Workers (global edge runtime with built-in DDoS protection, no addressable origin servers).
• Database hosted on Google Firebase Realtime Database in us-central1 with managed security rules, daily backups to a private GCS bucket (vaultkeeper-effeb-default-rtdb-backups), and client-side offline persistence with encrypted on-device cache.
• All endpoints served over HTTPS with TLS 1.2+. HSTS enforced via Cloudflare.
• Teller production integration uses mutual TLS (mTLS) client certificate binding (TELLER_CERT).
• No direct server access; all infrastructure is serverless / managed. No SSH, no long-running processes, no persistent storage the dev team manages directly.
• Crash reporting via Firebase Crashlytics collects anonymized user ID (UID only, never email) and stack traces; 90-day retention.

7. Client-Side Security

• Native iOS app: optional 4-digit passcode lock, Face ID / Touch ID, TOTP two-factor auth. Privacy cover hides financial data in the iOS app-switcher snapshot.
• Lock re-arms only on scenePhase == .background; transient .inactive transitions (screenshots, Control Center pulls, notifications) do not force a Face ID re-prompt.
• Web app: WebAuthn for biometric auth where supported, same passcode + TOTP options.
• Deep links use Universal Links (Apple App Site Association) restricted to specific allowed paths.
• Account deletion is user-initiated and fully automated: Worker-side Plaid revocation + KV cleanup, client-side Firebase RTDB multi-path delete, Firebase Auth user deletion, local state clear. All steps are idempotent and failure-recoverable.

8. Incident Response

Security incidents are handled with the following process:

• Detection: Monitor Cloudflare analytics, Firebase alerts, Crashlytics dashboard, RevenueCat event history, Plaid / Teller provider dashboards for anomalies.
• Containment: Revoke compromised credentials immediately (Wrangler secrets, Anthropic API key, Firebase service account, RevenueCat webhook secret, App Store Connect API key). Disable affected integrations.
• Investigation: Review Worker logs (wrangler tail), Firebase Database usage dashboard, Crashlytics issues, Cloudflare access logs. Identify scope and root cause.
• Notification: Notify affected users within 72 hours of confirmed breach. Notify relevant authorities (e.g. GDPR supervisory authority) as required by law.
• Recovery: Restore services, rotate all potentially-exposed credentials, apply hotfixes, redeploy Worker + client apps.
• Post-mortem: Document incident timeline, root cause, lessons learned, and update controls. Post-mortem is retained internally for 7 years.

9. Vulnerability Management

Identified vulnerabilities are patched according to defined SLAs. See our Vulnerability Management Policy for details. Dependencies (Firebase SDK, Plaid Link SDK, Teller, GoogleSignIn, RevenueCat SDK) are tracked for CVE advisories; security updates are applied within 7 days of public disclosure for critical severity.

10. Software Lifecycle

End-of-life software is tracked and replaced before support ends. See our EOL Management Policy. Current major runtime targets: iOS 17.0+ (covers >95% of active iPhones), modern evergreen browsers on web.

11. Change Management

All code changes land on the main branch with commit-author attribution. Web changes deploy to Cloudflare Workers via wrangler deploy; iOS changes ship through the App Store submission + review process. No silent server-side code pushes — every deploy is traceable to a specific commit.

12. Third-Party Risk

Each third-party processor listed in the Privacy Policy is evaluated for security posture: SOC 2 / ISO 27001 attestations, published privacy posture, breach history, and Data Processing Agreements (GDPR Article 28) in place. Anthropic, Cloudflare, Google / Firebase, and Apple each have DPAs; Plaid and Teller have data-handling terms embedded in their commercial agreements.

13. Policy Review

This policy is reviewed and updated at least annually, or whenever significant changes occur to the system architecture or regulatory requirements. Last substantive review: April 23, 2026.