This Information Security Policy ("ISP") defines how Chesed Projects protects the confidentiality, integrity, and availability of consumer financial data processed by the CC Charges Tracker application. It applies to all personnel and systems that store, process, or transmit this data.
The policy covers the application, its server, database, and supporting infrastructure. The application owner (mkantor@mkantor.com) is responsible for maintaining and enforcing this policy and reviewing it at least annually.
Financial account and transaction data accessed via Plaid is classified as Confidential and is subject to the strongest controls in this policy.
Access requires individual authentication with multi-factor authentication (MFA) and follows least-privilege and role-based principles, as detailed in the Access Control Policy.
Operating-system security updates are applied automatically. Identified vulnerabilities are remediated within a defined service-level agreement (SLA): critical within 7 days, high within 30 days. Periodic vulnerability scans are performed on the server.
Security-relevant events (logins, link attempts, errors) are logged with timestamps and retained for review. Logs are protected from unauthorized modification.
Suspected security incidents are investigated promptly. If consumer data is affected, we contain the issue, assess impact, notify affected parties and relevant providers (including Plaid) as required, and document remediation.
Data is retained and deleted per the Data Retention & Deletion Policy.