Security Practices

Last updated: January 1, 2025

We secure data using modern controls and a least-privilege approach.

Data Protection Measures

Transport Security

  • TLS 1.2+ encryption for all data in transit
  • HTTPS enforcement across all web properties
  • Secure API communication with authenticated endpoints

Storage Security

  • Serverless Postgres (Neon) with encryption at rest
  • Secrets management via environment variables
  • Regular automated backups with limited retention
  • Data segregation by customer/tenant

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) on admin accounts
  • Principle of least privilege
  • Regular access reviews and audits
  • Session management and automatic timeouts

Application Security

  • Input validation and sanitization
  • Protection against common vulnerabilities (OWASP Top 10)
  • Regular dependency updates and security patches
  • Code review and security testing

Data Minimization

We only collect and store data necessary for the features you use. We do not store banking credentials or unnecessary sensitive information.

Third-Party Security

We vet all sub-processors and service providers for security practices. Our vetted partners include:

  • Vercel (hosting/CDN) - SOC 2 Type II certified
  • Neon (database) - Enterprise-grade PostgreSQL
  • Plaid (banking) - Bank-level security standards
  • Intuit QuickBooks - Enterprise accounting security

See our Sub-processors page for the complete list.

Incident Response

Our incident response process includes:

  • Immediate triage and containment
  • Investigation and root cause analysis
  • Notification to affected customers consistent with law and contracts
  • Remediation and preventive measures
  • Post-incident review and documentation

Monitoring and Logging

  • Real-time application and infrastructure monitoring
  • Security event logging and analysis
  • Automated alerting for suspicious activity
  • Regular security audits and penetration testing

Employee Security

  • Background checks for employees with data access
  • Regular security awareness training
  • Confidentiality agreements
  • Device security policies (encryption, antivirus, updates)

Compliance

We maintain compliance with applicable standards and regulations:

  • GDPR (where applicable)
  • CCPA/CPRA (California residents)
  • SOC 2 principles (in progress)

Questions or Concerns

For security-related inquiries or to report a vulnerability:

Email: security@digitalfunnels.com
Phone: +1 (818) 514-1778