Information Security Policy

Last updated: 8 May 2026 · Version 1.0 · Owner: Timothy Jollie

1. Purpose

This Information Security Policy establishes the framework for protecting OurFamilyGrid's systems and the personal data of its users. It defines the security controls in place and the responsibilities for maintaining them.

2. Access Control Policy

• Production server access is restricted exclusively to the system administrator (Timothy Jollie) via SSH key-based authentication. Password-based SSH login is disabled.
• All user access to the application is controlled via session-based authentication with bcrypt-hashed passwords.
• Role-based access control (RBAC) is enforced: users can only access data belonging to their own household.
• Multi-factor authentication (TOTP) is available to all users and required for elevated security profiles.
• As a sole-operator service, there are no employees or contractors with access to production systems. De-provisioning procedures are therefore not applicable, but would be implemented prior to any access being granted.

3. Data Encryption

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced via Let's Encrypt certificates).
• Passwords are hashed using bcrypt with a cost factor of 12.
• Bank transaction descriptions imported via Plaid are encrypted at rest using AES-256-GCM with a 256-bit key stored in the server environment.
• Session tokens use a cryptographically random secret and are stored server-side (not in the browser).
• All API secrets and credentials are stored in environment variables, never in source code.

4. Vulnerability Management

• Application dependencies are reviewed using npm audit on a monthly basis and whenever a new dependency is added.
• Critical and high severity vulnerabilities are patched within 14 days of identification.
• Medium severity vulnerabilities are patched within 30 days.
• The server OS (Ubuntu) is configured with unattended-upgrades to automatically apply security patches.
• Node.js runtime is updated to current LTS versions within 60 days of release.
• End-of-life software and dependencies are identified during monthly audits and updated or replaced.

5. Monitoring and Logging

• Application errors and suspicious activity are logged via PM2 process manager.
• Server access logs are retained for 30 days.
• Failed login attempts are logged. Accounts are not automatically locked but patterns are monitored manually.

6. Incident Response

• In the event of a confirmed data breach affecting personal data, affected users will be notified within 72 hours.
• The ICO will be notified of breaches meeting the threshold for mandatory reporting.
• The incident will be documented and remediated within 48 hours.

7. Third-Party Security

• Third-party integrations (Plaid, Anthropic, DVSA) are evaluated for security practices prior to integration.
• Only the minimum required data is transmitted to third-party services.
• All third-party API credentials are rotated immediately if suspected of compromise.

8. Data Retention and Deletion

• User data is retained for the lifetime of the account.
• Users may request full deletion of their account and data at any time via the application (Profile → Security) or by email.
• Deletion requests are processed within 30 days.
• Server access logs are automatically purged after 30 days.
• Plaid access tokens are revoked at Plaid's end when a user disconnects their bank.

9. Physical Security

The production server is hosted in a UK-based data centre with physical access controls managed by the hosting provider. OurFamilyGrid does not operate physical infrastructure directly.

10. Policy Review

This policy is reviewed annually or following any significant security incident or system change. The current version is always available at ourfamilygrid.com/security-policy.

OurFamilyGrid · Information Security Policy v1.0 · timjollie@gmail.com