← Back to Cashuary

1. Purpose and Scope

This Information Security Policy establishes the security requirements, controls, and responsibilities for HM Services Consulting Inc. ("the Company"), operating as Cashuary. This policy applies to all systems, personnel, and processes involved in the collection, processing, storage, and transmission of financial data, personally identifiable information (PII), and authentication credentials.

Cashuary is a financial data aggregation and calendar synchronization service that connects users' bank accounts (via Plaid and Stripe Financial Connections) to Google Calendar. The application processes sensitive financial data including bank transaction details, authentication tokens, and payment information.

All employees, contractors, agents, and third-party service providers with access to Cashuary systems must comply with this policy.

2. Security Governance

2.1 Organizational Responsibility

Harvey Multani, Chief Executive Officer, serves as the designated security officer and is responsible for the overall information security posture of the organization, including:

• Establishing and maintaining this policy and supporting procedures
• Ensuring compliance with applicable laws, regulations, and contractual obligations
• Reviewing and approving security controls and risk assessments
• Overseeing incident response and breach notification procedures
• Conducting quarterly policy reviews and updates

2.2 Contact Information

Security inquiries, incident reports, and data subject requests should be directed to: support@cashuary.com

3. Access Control and Authentication

Cashuary maintains comprehensive access control and authentication policies covering the principle of least privilege, infrastructure access controls, administrative access, consumer authentication via Google OAuth 2.0, session management, infrastructure MFA, role-based access control across all platforms, access review and de-provisioning procedures, and non-human credential management.

The full Access Control Policy is available at cashuary.com/access-control-policy.html (Document ID: ACP-2026-001).

4. Data Protection

5.1 Encryption at Rest

All sensitive credentials (OAuth tokens, API keys, refresh tokens) are encrypted using AES-256-GCM (authenticated encryption with associated data) before storage in the database. Implementation details:

• Algorithm: AES-256-GCM with 96-bit random initialization vectors
• Authentication tags ensure data integrity and prevent tampering
• Encryption keys are stored as environment variables, never in source code
• Key material is validated at application startup (must be exactly 64 hex characters / 256 bits)

5.2 Encryption in Transit

• All external connections require TLS 1.2 or higher
• HTTP Strict Transport Security (HSTS) is enabled with a 1-year max-age, includeSubDomains, and preload directives
• HTTP requests are automatically redirected to HTTPS in production
• Database connections use TLS-encrypted PostgreSQL connections

5.3 Data Minimization

Cashuary follows the principle of data minimization for financial transaction data:

• Raw transaction data from bank providers is processed in memory only
• Only a cryptographic hash (data_hash) of transaction data is persisted to the database for deduplication purposes
• Transaction details (amount, date, description) are written to the user's Google Calendar and are not stored in Cashuary's database in plaintext
• No financial account numbers, routing numbers, or full card numbers are stored

5.4 Environment Variable Security

All environment variables are validated at application startup using schema validation (Zod) with strict type checking and minimum-length requirements. The application will refuse to start if required secrets are missing or malformed. Environment files (.env) are excluded from version control and checked by pre-push hooks to prevent accidental exposure.

5. Infrastructure Security

6.1 Hosting and Network Security

Cashuary is hosted on Railway, a Platform-as-a-Service (PaaS) provider that manages:

• Physical security of data centers
• Network-level firewalls and DDoS protection
• Operating system patching and hardening
• Container isolation between deployments
• Automated TLS certificate provisioning and renewal

6.2 Application Security Headers

The application implements comprehensive security headers via Helmet.js:

• Content Security Policy (CSP) — restricts script and connection sources to trusted domains only (self, Plaid CDN, Stripe JS)
• HSTS — enforces HTTPS with 1-year max-age and preload
• X-Content-Type-Options — prevents MIME-type sniffing
• X-Frame-Options — prevents clickjacking
• Referrer-Policy — limits referrer information leakage
• Permissions-Policy — restricts browser feature access

6.3 Rate Limiting

Rate limiting is applied to all API, authentication, webhook, and administrative endpoints:

Endpoint Category	Rate Limit	Window
API endpoints (/api/*)	200 requests	15 minutes
Authentication (/auth/*)	30 requests	15 minutes
Webhooks (/webhooks/*)	500 requests	15 minutes
Administration (/admin/*)	50 requests	15 minutes

6.4 Cross-Site Request Forgery (CSRF) Protection

All state-modifying API requests are protected against CSRF attacks using the double-submit cookie pattern. CSRF tokens are bound to the user's session identifier and validated on every mutating request. Webhook endpoints are exempt from CSRF protection as they use their own signature-based verification.

6.5 Environment Isolation

Production, staging, and development environments are fully isolated with separate:

• Database instances (separate PostgreSQL databases)
• API credentials (distinct Plaid, Stripe, and Google OAuth client IDs)
• Encryption keys
• Google Cloud projects (separate GCP projects for development and production)

6. Secure Development Practices

7.1 Branch Protection and Code Review

• Direct commits to main and production branches are blocked by pre-commit hooks
• All changes require a pull request with code review before merging
• Production deployments can only be performed by promoting the main branch tip
• Direct pushes to the production branch are blocked by pre-push hooks

7.2 Automated Security Checks

The following automated checks run on every push and pull request:

• Pre-push hooks: .env leak detection, dead file reference scanning, full unit test suite, end-to-end test suite
• CI/CD pipeline: TypeScript type checking, ESLint static analysis, unit tests, end-to-end tests (Playwright)
• GitHub Dependabot: automated dependency vulnerability alerts and pull requests
• GitHub CodeQL: static application security testing (SAST) for JavaScript/TypeScript

7.3 Webhook Security

All incoming webhooks (Plaid, Stripe, Sentry) are verified using cryptographic signature validation before processing. Webhook endpoints receive raw request bodies (express.raw()) to preserve the original payload for signature verification. Each webhook provider uses its own HMAC-based verification scheme.

7.4 Dependency Management

• Dependencies are pinned and tracked via package-lock.json
• GitHub Dependabot monitors for known vulnerabilities and opens automated PRs
• npm audit is incorporated into the development workflow
• Third-party packages are reviewed before adoption

7. Incident Response

8.1 Monitoring and Detection

• Sentry: real-time error monitoring and alerting for all application errors, with HMAC-verified webhook integration for automated triage
• Structured logging: all requests are logged with unique request IDs for traceability (using Pino structured logger)
• Railway platform monitoring: infrastructure-level health checks and deployment monitoring

8.2 Incident Response Procedures

1. Detection: automated alerts via Sentry, monitoring dashboards, or user reports
2. Triage: assess severity and impact, classify as P1 (critical) through P4 (low)
3. Containment: isolate affected systems, revoke compromised credentials if applicable
4. Eradication: identify root cause, deploy fix via expedited code review
5. Recovery: restore normal operations, verify fix effectiveness
6. Post-mortem: document findings, update controls to prevent recurrence

8.3 Breach Notification

In the event of a data breach involving user financial data or PII, affected users will be notified within 72 hours of discovery. Notifications will include the nature of the breach, data affected, remediation steps, and contact information for questions. Regulatory authorities will be notified as required by applicable law.

8. Vulnerability Management

9.1 Automated Vulnerability Scanning

• GitHub Dependabot: continuously monitors dependencies for known CVEs and opens automated remediation pull requests
• GitHub CodeQL: performs static analysis on every pull request to detect security vulnerabilities including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 categories
• npm audit: integrated into the development workflow to flag known package vulnerabilities

9.2 Security Testing

• Automated security penetration testing is performed as part of the pre-merge review process for all production deployments
• Security reviews cover injection risks, authentication bypass, data leakage, financial data handling, and token security
• End-to-end tests validate authentication flows, CSRF protection, and authorization checks

9.3 Remediation SLAs

Severity	Description	Remediation Target
Critical	Active exploitation or data exposure	24 hours
High	Exploitable vulnerability, no active exploitation	7 days
Medium	Vulnerability requiring specific conditions	30 days
Low	Informational or defense-in-depth improvement	90 days

9. Data Retention and Deletion

Cashuary maintains a comprehensive data retention policy governing the lifecycle of all user data. Key provisions include:

• User data is retained only for as long as necessary to provide the service
• Users may request complete deletion of their data at any time
• Upon account deletion, all associated data (bank connections, calendar links, encrypted tokens, session data) is permanently removed
• Transaction hashes are purged along with the associated user account
• Third-party provider connections (Plaid, Stripe, Google) are revoked upon account deletion

The full Data Retention and Disposal Policy is available at cashuary.com/data-retention-policy.html.

10. Third-Party Risk Management

Cashuary integrates with the following third-party service providers. All providers have been evaluated for security compliance:

Provider	Purpose	Compliance
Plaid	Bank account aggregation and transaction data	SOC 2 Type II, ISO 27001
Stripe	Financial Connections (bank linking)	SOC 2 Type II, PCI DSS Level 1
Google Cloud Platform	OAuth authentication, Calendar API	SOC 2 Type II, ISO 27001, FedRAMP
Railway	Application hosting and managed PostgreSQL	SOC 2 Type II
Sentry	Error monitoring and alerting	SOC 2 Type II
GitHub	Source code management, CI/CD, security scanning	SOC 2 Type II, FedRAMP

Third-party provider security postures are reviewed annually. Data shared with third parties is limited to the minimum necessary for service delivery. All third-party API communications are encrypted via TLS.

11. Policy Review and Maintenance

This policy is reviewed and updated quarterly, or sooner if triggered by:

• A security incident or near-miss
• Significant changes to the application architecture or data flows
• Changes in applicable laws or regulations
• New third-party integrations that process sensitive data
• Findings from security assessments or penetration tests

Revision History

Version	Date	Author	Description
1.0	March 10, 2026	Harvey Multani	Initial policy release