Information Security Policy

1. Overview

At MyPrivateLedger, protecting your data is our highest priority. This policy outlines the comprehensive security measures we have implemented to ensure the integrity of our services, safeguard your information, and maintain strict regulatory compliance.

2. Hosting & Infrastructure

The application is built with Remix, using Supabase for database services and Drizzle ORM for database access. Frontend and server-side components are hosted via Vercel, with Supabase providing secure Postgres data storage.

3. Data in Transit & at Rest

All data exchanged between users and the platform is encrypted using TLS 1.2+. All data stored in Supabase is encrypted at rest using AES-256.

4. Authentication & Access Control

Internal access to production environments is secured using 2-Factor Authentication (2FA) across services (Vercel, Supabase, GitHub). Only authorized personnel have access to user data for support or compliance reasons.

5. Change Management

All production deployments are managed through version-controlled pipelines (Git + CI/CD). Code is reviewed before release and tested prior to production deployment.

6. Data Collection & Processing

MyPrivateLedger provides read-only access to your financial data through secure, token-based integrations with trusted third-party services like Plaid, GoCardless, and OFauth. We never see or store your login credentials for these platforms. All sensitive operations are handled directly by our partners, who are governed by their own strict security and compliance standards.

7. Security Monitoring

Production logs are maintained by Supabase and Vercel. Access logs and server events are monitored periodically.

8. Incident Response

In case of a breach, MyPrivateLedger will notify affected users within 72 hours as required by applicable law. An internal response process is in place for containment, investigation, and recovery.

9. Employee Devices & BYOD

Any personal device used for development or operations must have disk encryption and password protection enabled. No sensitive user data is stored locally on developer machines.

10. Vendor Management

Third-party vendors are evaluated based on security certifications, encryption standards, and privacy practices. Primary vendors include:

• Vercel - hosting
• Supabase - database
• Plaid - US financial data aggregation
• GoCardless - EU financial data aggregation
• OFauth - Creator platform data integration

11. User Data Protection

No data is sold to third parties. User data is used solely for providing service functionality and support.

12. Review & Updates

This policy is reviewed quarterly and updated as needed to meet evolving security standards and compliance requirements.

Contact Information

For security-related questions or to report security issues, please contact us: