Information Security Policy

We classify data into three categories: Sensitive Data: • User authentication credentials • Financial account information (via Plaid) • Transaction data and bank account details • Personal identifiable information (PII) Business Data: • Invoice records and financial metrics • Expense records and receipts • Budget information Public Data: • Marketing materials and documentation

We implement robust authentication measures: • Magic Link Authentication: Passwordless authentication via secure email tokens • OAuth Integration: Federated authentication with trusted providers • Multi-Factor Authentication (MFA): TOTP-based MFA via authenticator apps • Session Management: Automatic session timeout after period of inactivity • Trusted Devices: Optional trusted device management for convenience • Row Level Security: Database-level access controls ensuring users can only access their own data

Your data is protected through multiple layers: • Encryption in Transit: All data transmitted over HTTPS/TLS 1.2+ • Encryption at Rest: Database encryption at the infrastructure level • API Keys: Environment variables stored securely, never committed to source control • Geographic Location: United States data residency • Secure File Storage: Files stored in authenticated, access-controlled storage

Our infrastructure is built on secure, enterprise-grade platforms: • Application Hosting: SOC 2 compliant cloud hosting with automatic HTTPS • Database: Managed database with encryption and automatic backups • CDN: Global content delivery network with DDoS protection Security Headers: • HSTS with preload for enforced HTTPS • Clickjacking protection • Content type security • Rate limiting to prevent abuse

All API endpoints are protected: • Input Validation: Strict schema validation on all inputs • Type Safety: Strong typing throughout the application • CSRF Protection: Anti-CSRF tokens on all state-changing operations • Webhook Security: Cryptographic signature verification • SQL Injection Prevention: Parameterized queries prevent injection attacks

We carefully manage third-party integrations: Plaid Integration: • Read-only access to transactions and balances • Access tokens stored encrypted • Tokens revoked upon user request Stripe Integration: • PCI DSS compliant payment processing • No credit card data stored locally • Webhook signature verification OpenAI Integration: • No sensitive financial data in AI prompts • User data not used for AI training

We maintain comprehensive audit trails: • Authentication Events: Login, logout, MFA enrollment, failed attempts • Financial Operations: Account linking, invoice creation, expense logging • Data Access: Exports, downloads, sensitive data views • Security Events: Suspicious activity detection and access denials Audit logs capture relevant security information and are retained per regulatory compliance requirements. Logs are protected against tampering.

Our incident response process: 1. Detection: Application monitoring and authentication logging 2. Identification: Confirm and assess the security incident 3. Containment: Isolate affected systems/accounts 4. Eradication: Remove threat and vulnerabilities 5. Recovery: Restore normal operations 6. Lessons Learned: Document and improve processes Notification: • Users notified within 72 hours of confirmed data breach • Regulatory authorities notified as required by law

We maintain compliance with: • GDPR: Data subject rights for EU users • CCPA: Privacy rights for California users • SOC 2 Type II: Via infrastructure providers • OWASP Top 10: Security vulnerabilities addressed • PCI DSS: Via Stripe integration • Plaid Requirements: Financial data handling standards

For security concerns or to report vulnerabilities: Email: security@casike.com Response time: Within 24 hours for security reports Privacy inquiries: privacy@casike.com