1. Security Overview
Scalable Innovations LLC operates EZ Ledgr as a financial management platform for small businesses. Because our users connect bank accounts and store transaction data, we treat security as a core product requirement — not an afterthought.
Our security program is built around five principles: least-privilege access, defense in depth, encryption everywhere, continuous monitoring, and transparent disclosure. This page summarizes our practices for users, partners, and security researchers.
2. Infrastructure & Hosting
EZ Ledgr is built on enterprise-grade cloud infrastructure with strong baseline security postures inherited from our platform providers.
Security headers
All responses from EZ Ledgr include the following security headers enforced at the edge via Vercel:
- Strict-Transport-Security — HSTS with 2-year max-age and preload, forcing HTTPS on all connections
- Content-Security-Policy — restricts which scripts, styles, and connections the browser may load
- X-Frame-Options: DENY — prevents clickjacking attacks
- X-Content-Type-Options: nosniff — prevents MIME-type sniffing
- Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
- Permissions-Policy — disables camera, microphone, and other unused browser APIs
3. Encryption
All data handled by EZ Ledgr is encrypted both in transit and at rest. We do not store or transmit sensitive financial data in plaintext under any circumstances.
| Data | In Transit | At Rest | Status |
|---|---|---|---|
| Consumer financial data (Plaid) | TLS 1.3 | AES-256 (Supabase / AWS RDS) | Active |
| User account data | TLS 1.3 | AES-256 (Supabase) | Active |
| Session tokens / JWTs | TLS 1.3 (HTTPS only) | Signed + encrypted by Supabase Auth | Active |
| API keys & secrets | N/A (server-side only) | Environment variables — never in source code | Active |
| Backups | N/A | AES-256 (Supabase automated backups) | Active |
TLS policy
- Minimum TLS 1.2 enforced; TLS 1.3 preferred and negotiated by default
- TLS 1.0 and 1.1 disabled on all endpoints
- All HTTP requests automatically redirected to HTTPS
- Certificates auto-renewed via Vercel's managed certificate infrastructure
4. Access Control & MFA
Consumer-facing authentication
- All user accounts are protected with email and password authentication via Supabase Auth
- Two-factor authentication (2FA / TOTP) is available to all users from account settings
- 2FA is required before connecting any bank account — users without 2FA enabled are directed to enable it before Plaid Link opens
- Explicit user consent is obtained and logged (with timestamp) before any financial data is accessed via Plaid
Internal access controls
- All production systems (Supabase, Vercel, GitHub) require MFA for every team member
- Database access is controlled via Supabase Row-Level Security (RLS) — each user can only access their own data
- No direct database access from the browser — all queries go through authenticated server-side API routes
- API keys and service credentials are stored in environment variables, never committed to source code
- Access to production systems is limited to the engineering team on a need-to-know basis
5. Financial Data (Plaid)
EZ Ledgr uses Plaid Technologies, Inc. to enable bank account connectivity. Plaid is a leading financial data network used by thousands of financial applications. Here is how the integration is secured:
- Read-only access: Plaid provides read-only access to transaction and balance data. We cannot and do not initiate transfers or modify your accounts.
- Credentials never touch our servers: Your bank login credentials are entered directly into Plaid's interface and never transmitted to or stored by EZ Ledgr.
- Explicit consent required: Users see a clear disclosure of exactly what data will be accessed before connecting any account. Consent is logged with a timestamp.
- MFA gate: Two-factor authentication must be verified before Plaid Link is presented to the user.
- Revocable at any time: Users can disconnect their bank account from Settings at any time, which revokes EZ Ledgr's access token.
- Data minimization: We request only the data scopes required for bookkeeping — transactions, balances, and account identifiers.
Plaid's own security and privacy practices are described in Plaid's End User Privacy Policy and their security documentation.
6. Vulnerability Management
Dependency scanning
- GitHub Dependabot is enabled on the repository — automated alerts and pull requests for vulnerable dependencies
- All third-party packages are reviewed before adoption
- Security patches are applied promptly based on severity (critical within 24 hours, high within 7 days)
Code security
- Source code is hosted on GitHub with branch protection rules on the main branch
- All production deployments go through Vercel's build pipeline — no direct server access
- Secrets are managed via environment variables; secret scanning is enabled on the repository
Patching SLAs
7. Incident Response
Scalable Innovations LLC maintains an incident response process for security events affecting user data or platform availability.
- Detection: Security events are identified via platform monitoring, user reports, or third-party notifications
- Containment: Affected systems are isolated and access revoked as appropriate within hours of confirmed incident
- Notification: Affected users are notified by email within 72 hours of a confirmed data breach, in accordance with applicable law
- Post-incident review: All significant incidents result in a written post-mortem and remediation plan
To report a suspected security incident or breach, contact security@scalable-innovations.com immediately. Include as much detail as possible about what you observed.
8. Compliance & Auditing
EZ Ledgr is built on infrastructure from providers with strong compliance certifications. Our security practices are aligned with the following frameworks:
Audit logging
- All Plaid consent grants are logged with user ID and timestamp
- Authentication events (sign-in, MFA verification, password changes) are logged by Supabase Auth
- Application logs are retained for 90 days then automatically purged
9. Employee Security
- All team members complete security awareness training upon onboarding
- MFA is required on all accounts with access to production systems — Supabase, Vercel, GitHub, and cloud infrastructure
- Access to production systems follows the principle of least privilege — team members receive only the minimum access required for their role
- All team members operate under a security and confidentiality agreement
- Access is revoked within 24 hours of a team member's departure
10. Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities from the security research community. If you have discovered a potential security issue in EZ Ledgr, please report it to us before making it public.
How to report a vulnerability
- 1 Email a description of the vulnerability to security@scalable-innovations.com
- 2 Include steps to reproduce, potential impact, and any relevant screenshots or proof-of-concept
- 3 We will acknowledge your report within 2 business days
- 4 We will provide a resolution timeline based on severity within 7 days
- 5 We ask that you allow us reasonable time to remediate before public disclosure
We do not currently offer a bug bounty program, but we genuinely appreciate responsible disclosures and will acknowledge researchers who help improve our security.
Scope
In-scope for vulnerability reports:
- Authentication and authorization vulnerabilities on ezledgr.com
- Data exposure or cross-account access vulnerabilities
- Injection attacks (SQL, XSS, CSRF) on any EZ Ledgr endpoint
- Security misconfigurations affecting user data