Formation
Back to Formation

Information Security Policy

Version 1.5 Effective: July 7, 2026 Next Review: January 7, 2027

Policy Approval

Approved By Brad Porter, Founder & CEO
Role Information Security Owner
Approval Date July 7, 2026
Review Frequency Semi-annually (every 6 months)

1. Purpose and Objectives

This Information Security Policy ("ISP") establishes the foundation for Formation's information security program. It defines our commitment to protecting the confidentiality, integrity, and availability of all information assets, including consumer financial data accessed through third-party aggregation providers.

1.1 Objectives

2. Scope

This policy applies to:

Out of scope: Data held exclusively by third-party providers (e.g., data stored only on Plaid's infrastructure) is governed by their respective security policies. This policy governs data once it enters Formation's systems.

3. Roles and Accountability

Role Responsible Party Responsibilities
Information Security Owner Brad Porter, Founder & CEO Overall accountability for the security program; approves policies; allocates resources; serves as primary security contact
Security Operations Brad Porter Day-to-day security operations; vulnerability management; incident response; access control administration
Development Security Brad Porter Secure coding practices; dependency management; code review; application security testing
Compliance Contact info@formationmoney.com Privacy inquiries; data subject requests; regulatory correspondence; partner compliance

As Formation grows, these roles will be distributed across dedicated personnel. The Information Security Owner is responsible for updating this accountability matrix accordingly.

4. Access Control

4.1 Principle of Least Privilege

Access to systems, data, and infrastructure is granted on a need-to-know basis using the principle of least privilege. No user or system is granted more access than necessary to perform its function.

4.2 Authentication Requirements

4.3 Role-Based Access Control (RBAC)

4.4 Access Reviews

Access to all systems is reviewed quarterly. Unused accounts, stale API keys, and unnecessary permissions are revoked promptly, and each review is recorded with its date and reviewer. When a contributor leaves or changes role, their access to every system (GitHub, Supabase, Netlify, Plaid, Stripe, Twilio, and any shared credentials) is revoked or adjusted as part of a documented offboarding checklist, and shared secrets they could have accessed are rotated. While Formation operates without dedicated personnel, these steps are performed manually by the Information Security Owner; they will be automated and integrated with an HR/identity provider as the team grows.

5. Data Protection

5.1 Encryption in Transit

5.2 Encryption at Rest

5.3 Data Classification

Classification Examples Handling Requirements
Critical Plaid access tokens, Stripe API keys, Supabase service role key, Resend API key, Anthropic/OpenAI/ElevenLabs API keys, Array, RentCast, and Perplexity API keys, Twilio auth token Stored only in environment variables; never in code or logs; rotated regularly; access limited to production systems
Confidential Consumer financial data (account balances, transactions, holdings), user email addresses and phone numbers, authentication credentials, Stripe customer IDs Encrypted at rest and in transit; access controlled by RLS; retained per data retention policy; deleted upon user request
Internal Application source code, infrastructure configuration, internal documentation, edge function code Access limited to authorized personnel; stored in private repositories; protected by MFA
Public Privacy policy, security policy, marketing content, landing page No access restrictions; reviewed for accuracy before publication

6. Infrastructure and Network Security

6.1 Hosting Security

6.2 Security Headers

The following HTTP security headers are enforced on all responses:

6.3 Third-Party Integrations

Provider Purpose Security Measures
Plaid Financial data aggregation OAuth token exchange; tokens stored encrypted; webhook signature verification; sandbox/production environment separation
Supabase Database, authentication, and Edge Functions Row-level security; service role key restricted to server-side; JWT-based session management; automated backups
Stripe Subscription billing & payment processing PCI DSS compliant; webhook signature verification; API key stored in environment variables; no raw card data handled by Formation
Resend Transactional email delivery API key stored in environment variables; HTTPS-only communication; email content does not include sensitive financial data
Twilio SMS two-factor authentication (Verify) Credentials stored in environment variables; HTTPS-only communication; integrated through the Supabase MFA phone factor; phone numbers handled per Twilio's data terms
Anthropic AURA & document/statement parsing API key in environment variables; receives your financial context and uploaded documents to answer or parse (your real data, not anonymized); Anthropic does not train on it; uploaded files are not retained after parsing
OpenAI Real-time voice assistant & text-to-speech API key in environment variables; receives voice audio and financial context only when you use voice; ephemeral session tokens; not used for training
ElevenLabs Text-to-speech (voice reply fallback) API key in environment variables; receives only AURA's reply text to synthesize speech
Array Consumer credit-score connection API credentials in environment variables; receives user email/ID to mint a token; returns score + factors; webhook signature verification
RentCast + address lookup Real-estate valuations & property records API key in environment variables; receives only property addresses you add; no account or identity data
Perplexity Live market quotes, dividends, splits & ticker news (web search) API key in environment variables; receives ticker symbols only; no consumer data
Google Ad-conversion tag & web fonts (marketing pages) Loads on public marketing pages only; receives browsing data (IP, user agent, page) for advertising measurement; no access to financial data; disclosed in the Privacy Policy
Netlify Hosting and serverless functions Environment variables for secrets; automatic TLS; deploy previews isolated from production

7. Application Security

7.1 Secure Development Practices

7.2 Deployment Security

8. Vulnerability Management

8.1 Scanning and Patching

8.2 Endpoint Security

9. Incident Response

9.1 Incident Classification

Severity Description Response Time
Critical Confirmed data breach; unauthorized access to consumer financial data; compromised API keys or access tokens Immediate (within 1 hour)
High Suspected unauthorized access; service outage affecting data integrity; failed authentication anomalies Within 4 hours
Medium Vulnerability discovered in production; unusual access patterns; third-party provider incident Within 24 hours
Low Policy violation with no data exposure; minor configuration issue; informational security advisory Within 72 hours

9.2 Incident Response Procedure

  1. Detection & Identification: Monitor system logs, Supabase audit logs, Netlify function logs, and Stripe webhook logs for anomalies. Investigate alerts promptly.
  2. Containment: Isolate affected systems. Revoke compromised credentials immediately. Disable affected API keys and rotate secrets across all providers.
  3. Eradication: Identify root cause. Apply patches or configuration changes. Remove any unauthorized access.
  4. Recovery: Restore systems from known-good state. Verify data integrity. Re-enable services after verification.
  5. Notification: Notify affected users within 72 hours of confirmed breach. Notify Plaid and Stripe per contractual obligations. Report to relevant regulatory authorities as required by law.
  6. Post-Incident Review: Document lessons learned. Update security controls. Revise this policy if necessary.

10. Data Retention and Disposal

Formation maintains a separate Data Retention and Disposal Policy that governs:

11. Privacy

Formation maintains a Privacy Policy that is displayed to end-users within the application. Key privacy commitments include:

12. Business Continuity

13. Security Awareness and Training

14. Compliance and Audit

15. Policy Review and Updates

This policy is reviewed and updated:

Policy Version History

v1.0 (March 15, 2026) — Initial policy established.

v1.1 (March 31, 2026) — Updated to reflect MX integration, Stripe billing, Resend email delivery, and brand refresh. Approved by Brad Porter, Founder & CEO.

v1.2 (June 7, 2026) — Brand refresh to Sky Light v3; updated authentication methods (authenticator-app TOTP and SMS MFA via Twilio Verify, Google and Apple SSO); added Twilio as a sub-processor; AURA naming. Approved by Brad Porter, Founder & CEO.

v1.3 (June 8, 2026) — Disclosed additional sub-processors (OpenAI, ElevenLabs, Array, RentCast, Finnhub, Google) and corrected the Anthropic data-handling description. Approved by Brad Porter, Founder & CEO.

v1.4 (June 8, 2026) — Documented mandatory MFA for all users, the CI dependency-audit gate, preview-environment isolation, quarterly access reviews, and offboarding procedures. Removed Finnhub as a sub-processor. Approved by Brad Porter, Founder & CEO.

v1.5 (July 7, 2026) — Removed MX Technologies as a data aggregation provider; Plaid is Formation's sole financial-data aggregator. Approved by Brad Porter, Founder & CEO.

16. Contact Information

For questions about this policy or to report a security concern:

To report a suspected security vulnerability, please email info@formationmoney.com with the subject line "Security Vulnerability Report".