Information Security Policy

1. Purpose

This Information Security Policy defines the administrative, technical, and physical safeguards that Optionality Ventures LLC ("Optionality") maintains to protect the confidentiality, integrity, and availability of consumer financial data and personal information processed by the Service.

2. Scope

This policy applies to all systems, infrastructure, personnel, and third-party service providers involved in the collection, storage, processing, and transmission of user data within the Optionality platform. This includes data obtained through direct user input, document uploads, and authorized third-party brokerage integrations.

3. Data Classification

Optionality classifies data into the following categories to ensure appropriate handling:

• Confidential: brokerage credentials, OAuth tokens, API secrets, encryption keys, and user authentication credentials (password hashes). Access is restricted to authorized systems only. Never stored in plaintext.
• Sensitive: financial account data, portfolio holdings, balances, transaction history, income, expenses, assets, and liabilities. Protected by encryption and access controls.
• Internal: user account information (name, email), application configuration, usage analytics. Protected by standard access controls.
• Public: marketing content, legal documents, and publicly accessible pages. No access restrictions.

4. Encryption

Optionality employs encryption at multiple layers:

• In transit: all data transmitted between clients and servers is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a minimum max-age of one year, including subdomains.
• At rest: sensitive credentials, including brokerage connection tokens and user secrets, are encrypted using AES-256-GCM before storage. Encryption keys are managed separately from encrypted data.
• Passwords: user passwords are hashed using BCrypt with an appropriate work factor. Plaintext passwords are never stored or logged.

5. Authentication and Access Control

• User authentication: the platform supports email/password authentication with BCrypt hashing and Google OAuth 2.0 single sign-on. Two-factor authentication (TOTP and email OTP) is available for additional account security.
• Session management: sessions are managed using secure, HttpOnly, SameSite cookies. Sessions are invalidated upon logout and expire after a defined period of inactivity.
• Brokerage authentication: connections to third-party brokerage accounts use OAuth-based or token-based authentication through authorized data aggregation providers. Optionality does not collect or store brokerage login credentials directly.
• Least-privilege principle: each integration, service, and system component accesses only the minimum data and permissions required to perform its function.
• Administrative access: administrative functions are restricted to authorized personnel through role-based access controls.

6. Application Security

• Security headers: the application enforces Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy headers to mitigate common web application vulnerabilities.
• CSRF protection: cross-site request forgery protection is enabled for all state-changing operations. API endpoints use session-based same-origin protection.
• Input validation: all user inputs are validated on the server side. HTML output is escaped to prevent cross-site scripting (XSS).
• Dependency management: third-party dependencies are managed through version-pinned build systems and reviewed for known vulnerabilities.

7. Infrastructure Security

• Cloud hosting: the application is hosted on secure cloud infrastructure with industry-standard physical and logical safeguards, including network isolation, firewalls, and DDoS mitigation.
• Database security: production databases are not directly accessible from the public internet. Access is restricted to application servers through internal network configurations.
• Environment separation: production, staging, and development environments are logically separated. Sensitive production data is not used in non-production environments.

8. Third-Party Integrations

• Authorized APIs only: Optionality accesses third-party financial data exclusively through authorized APIs provided by regulated data aggregation partners. Optionality does not scrape brokerage websites, mobile applications, or unauthorized interfaces.
• Rate limiting: API usage complies with each provider's rate-limit policies. Background sync frequency is limited and webhook-driven to minimize unnecessary requests.
• AI service providers: financial data sent to AI providers for insight generation is transmitted securely and is not retained by the provider beyond the duration of the request. Data is sent only upon explicit user request.
• Vendor assessment: third-party service providers that process consumer financial data are assessed for their security posture and are required to maintain appropriate safeguards.

9. Logging and Monitoring

• Application logs are maintained for security events, authentication attempts, and API access. Logs do not contain sensitive credentials, tokens, or plaintext passwords.
• Anomalous activity, including repeated authentication failures, is monitored and may trigger protective measures.

10. Incident Response

In the event of a suspected security incident involving consumer financial data, Optionality will:

• Investigate the scope and nature of the incident promptly.
• Contain the incident to prevent further unauthorized access.
• Notify affected users and relevant authorities as required by applicable law.
• Revoke compromised credentials and tokens.
• Document findings and implement corrective measures to prevent recurrence.

Security incidents may be reported to security@optionalityhq.com.

11. Data Retention and Disposal

Optionality retains consumer financial data only while the user maintains an active account and applicable brokerage connections. Upon account deletion, disconnection of linked accounts, or verified deletion request, consumer financial data is removed from production systems within a reasonable operational timeframe. Brokerage connection tokens are revoked and encrypted secrets are destroyed. See our Privacy Policy and Data Retention and Deletion Policy for full details.

12. Personnel Security

• Access to production systems and consumer data is restricted to authorized personnel on a need-to-know basis.
• Personnel with access to consumer financial data are expected to adhere to this policy and applicable confidentiality obligations.

13. Policy Review

This Information Security Policy is reviewed and updated periodically as Optionality's services evolve, as new threats emerge, and as regulatory requirements change.

14. Contact

For security-related questions or to report a vulnerability, contact us at security@optionalityhq.com.