Zero Trust Architecture Policy

Effective Date: April 23, 2026

1. Purpose

This policy defines VaultKeeper's zero trust access architecture, ensuring that no user, device, or service is implicitly trusted regardless of network location.

2. Core Principles

• Never Trust, Always Verify: Every request is authenticated and authorized, regardless of origin
• Least Privilege Access: Access is granted at the minimum level required for the task
• Assume Breach: Systems are designed assuming that any component may be compromised
• Explicit Verification: Identity, device, and context are verified for every access attempt

3. Implementation

3.1 Application Layer

• All API requests to the Cloudflare Worker require a valid Firebase Authentication JWT token in the Authorization header
• The Worker validates the token on every request — no session cookies, no persistent server-side sessions
• Firebase Security Rules enforce per-user data isolation at the database level, independent of application logic
• Bank access tokens are stored server-side (Cloudflare KV) and never transmitted to the client

3.2 Infrastructure Layer

• No VPN or private network — all services are accessed via public APIs with authentication
• Cloudflare Workers are stateless and serverless; no persistent server to compromise
• No SSH, no remote shell access to production systems
• Teller API access uses mutual TLS (mTLS), requiring both client and server certificate validation

3.3 Identity and Authentication

• Centralized identity via Firebase Authentication for all consumer-facing access
• MFA required for all internal/administrative access (Firebase Console, Cloudflare Dashboard, Plaid Dashboard, GitHub)
• Short-lived tokens: Firebase Auth tokens expire after 1 hour and are automatically refreshed
• No shared credentials or service accounts for human access

3.4 Data Access

• Data access is scoped per-user via Firebase Security Rules — no global read/write access
• Household sharing is explicitly opted-in and enforced at the database rule level
• API endpoints validate user identity and scope data access to the authenticated user's data only
• Cross-user data access is architecturally impossible without explicit household membership

3.5 Network Security

• All traffic encrypted with TLS 1.2+ (enforced by Cloudflare and Firebase)
• HTTPS-only — no plaintext HTTP endpoints
• Cloudflare provides automatic DDoS protection, WAF, and bot management at the edge
• No internal network to protect — fully edge/cloud-native architecture

4. Monitoring and Verification

• Firebase Authentication logs track all sign-in events
• Cloudflare analytics monitor request patterns and anomalies
• Failed authentication attempts are logged and monitored
• Access reviews verify that zero trust principles remain in effect (see Access Review Policy)

5. Policy Review

This policy is reviewed at least annually or when architectural changes are made to the system.