Back

Information Security Policy

Last updated: April 29, 2026

Nexvest is committed to protecting user financial data with the highest security standards. This Information Security Policy (ISP) defines the controls, procedures, and practices in place to protect the confidentiality, integrity, and availability of systems and data.

This policy is reviewed bi-annually or upon any significant change to infrastructure, vendors, or regulations.

1. Multi-Factor Authentication (MFA)

1.1 Consumer Application

Access to Nexvest requires MFA via a 6-digit email verification code. The login flow has two mandatory steps:

  • Step 1: Credential validation (email + bcrypt-hashed password)
  • Step 2: 6-digit code sent by email (expires after 10 minutes, single use)

Plaid Link is only exposed after a fully MFA-authenticated session.

1.2 Internal Systems

All internal systems storing or processing consumer data are MFA-protected:

  • Plaid Dashboard: Mandatory MFA (enforced by Plaid)
  • Stripe Dashboard: Mandatory MFA (enforced by Stripe)
  • Hosted infrastructure (Abacus.AI): Strong authentication for console, database, and deployment access

2. Access Control Policy

2.1 Role-Based Access Control (RBAC)

  • Standard user: Access only to their own data (userId-based isolation on every query)
  • Administrator: Access to admin panel (/dashboard/admin)
  • API routes: Every route verifies user session (getServerSession) before data access

2.2 Non-Human Authentication

  • Plaid: OAuth tokens for bank data access
  • Stripe: API keys with webhook signature verification
  • Cron jobs: Authenticated via unique CRON_SECRET
  • All communications: TLS 1.2+

3. Centralized Identity & Access Management (IAM)

Identity management is centralized through NextAuth.js: single authentication system, signed JWT tokens verified per request, bcrypt-hashed passwords, and self-service account deletion with full data cascade.

4. Periodic Access Reviews & Audits

  • Monthly: Review of active Plaid tokens and connected bank accounts
  • Quarterly: Audit of API keys (Plaid, Stripe, Abacus.AI) — rotation as needed
  • Bi-annually: Full review of admin access, database permissions, and third-party integrations

5. Automated De-provisioning

  • Account deletion: Immediate cascade deletion of all data (profile, bank accounts, transactions, budgets, history, Plaid tokens, subscription)
  • Bank disconnection: Revokes associated Plaid token and all linked transactions
  • Session expiry: JWT auto-expiration; MFA codes expire after 10 minutes; reset tokens after 1 hour
  • Personnel changes: As a sole-proprietor organization, any change in responsibility triggers immediate rotation of all API keys and access secrets

6. Zero Trust Access Architecture

  • Per-request verification: Every API request is individually authenticated — no implicit network trust
  • Ephemeral sessions: Limited-lifetime JWT tokens verified per request
  • Data isolation: Every user can only access their own data via systematic userId filtering
  • Encryption in transit: TLS 1.2+ mandatory for all communications
  • Encryption at rest: PostgreSQL encrypted via AWS RDS
  • No direct database access: Database not exposed to Internet — accessible only via application ORM
  • Input validation: Parameterized queries (Prisma ORM) to prevent SQL injection

7. Vulnerability Scanning

  • Dependencies: yarn audit run before every deployment
  • Static analysis: TypeScript strict mode enabled
  • Weekly: Dependency review with priority fix for critical/high vulnerabilities
  • Infrastructure: Abacus.AI manages system and network vulnerability scanning
  • Third-party vendors: Plaid and Stripe are SOC 2 Type II certified

8. Vulnerability Patching — Defined SLA

  • Critical (CVSS ≥ 9.0): Patched within 24 hours
  • High (CVSS 7.0–8.9): Patched within 72 hours
  • Medium (CVSS 4.0–6.9): Patched within 7 days
  • Low (CVSS < 4.0): Patched in next scheduled maintenance cycle

9. End-of-Life (EOL) Software Monitoring

  • Framework: Next.js 14 (active support) — migration planned to LTS versions
  • Runtime: Node.js — tracked against official support schedule
  • Database: PostgreSQL — managed and updated by Abacus.AI
  • npm dependencies: Monthly review; EOL dependencies prioritized for migration within 30 days

10. Security Contact

To report a vulnerability or for security inquiries, contact [email protected].

Privacy PolicyTerms