Home
Legal

I AM Wealth · Compliance Library

Security Overview

Effective: June 14, 2026 · Last reviewed: June 14, 2026

Protecting your financial data is core to I AM Wealth. This page summarizes the controls we use to keep the Service trustworthy.

1. Encryption

  • In transit: TLS 1.2+ for all client–server and server–server traffic. HSTS enforced on production domains.
  • At rest: AES-256 encryption for databases, object storage, and backups.
  • Secrets: API keys (Plaid, Stripe, AI providers) are stored in a managed secret vault, never in source code or client bundles.

2. Access Control

  • Row-Level Security (RLS) on every user-data table: one user cannot read another's row.
  • Least-privilege roles: the publishable client key can only act as the signed-in user; the service-role key is server-only.
  • Privileged operations require both authentication and a role check (`has_role`) before execution.
  • Employee production access is granted on a need-to-know basis with MFA and audit logging.

3. Authentication

  • Email + password with bcrypt-equivalent hashing and HIBP leak-check on signup.
  • Google OAuth supported.
  • Session tokens are short-lived, refresh-rotated, and revocable on sign-out.

4. Plaid-Specific Controls

  • Plaid Link runs in an isolated iframe; credentials never touch our servers.
  • Plaid access tokens are stored server-side only in an RLS-protected table. The browser never receives them.
  • Webhooks from Plaid are signature-verified before processing.
  • Token exchange and item operations happen exclusively from authenticated server functions.

5. Infrastructure

  • Compute: Cloudflare Workers (edge serverless) — no long-lived servers to compromise.
  • Database & auth: Supabase (Postgres) — SOC 2 Type II certified provider.
  • Payments: Stripe — PCI-DSS Level 1. We never store full PANs.

6. Monitoring & Logging

  • Centralized application and access logs with anomaly detection.
  • Daily encrypted backups with point-in-time recovery up to 7 days.
  • Dependency scanning and automated vulnerability alerts on every deploy.

7. Secure Development

  • All code changes pass automated typechecks, security linting, and a Supabase RLS linter.
  • Inputs are validated with Zod schemas; SQL is parameterized.
  • No customer data is used in development or staging environments.

8. Incident Response

We maintain a written incident response plan. In the event of a confirmed breach affecting your data, we will notify affected users without undue delay and, where required, within 72 hours, with the nature of the incident, data involved, and steps you can take.

9. Responsible Disclosure

Found a vulnerability? Email security@iamwealth.app. We will acknowledge within 2 business days and will not pursue legal action for good-faith research that follows our coordinated-disclosure guidelines.

10. Compliance Roadmap

  • SOC 2 Type II audit — in progress.
  • GDPR & CCPA — operational today; DPA available on request.
  • Plaid Production Access — see End-User Data Use Policy.