SECURITY

Security at EZ Ledgr

We handle sensitive financial data on behalf of small business owners. Here is a transparent overview of how we protect it — from encryption standards to access controls to responsible disclosure.

Company: Scalable Innovations LLC
Last updated: March 22, 2026
Contact: security@scalable-innovations.com

Encryption

In transit & at rest

AES-256 + TLS 1.3

Infrastructure

Vercel + Supabase

SOC 2 backed

Authentication

MFA enforced

Required for bank sync

Bank connectivity

Read-only access

1. Security Overview

Scalable Innovations LLC operates EZ Ledgr as a financial management platform for small businesses. Because our users connect bank accounts and store transaction data, we treat security as a core product requirement — not an afterthought.

Our security program is built around five principles: least-privilege access, defense in depth, encryption everywhere, continuous monitoring, and transparent disclosure. This page summarizes our practices for users, partners, and security researchers.

Security questions or concerns? Contact our security team directly at security@scalable-innovations.com. We respond to all security inquiries within 2 business days.

2. Infrastructure & Hosting

EZ Ledgr is built on enterprise-grade cloud infrastructure with strong baseline security postures inherited from our platform providers.

Vercel (Hosting)

Application hosting with automatic TLS provisioning, DDoS protection, global edge network, and SOC 2 Type II compliance.

Supabase (Database & Auth)

PostgreSQL database with row-level security, hosted on AWS infrastructure. SOC 2 Type II certified. Data encrypted at rest and in transit.

Cloudflare (DNS)

DNS and network security layer providing DDoS mitigation, bot protection, and additional TLS enforcement.

Resend (Email)

Transactional email provider. Used only for account notifications. No sensitive financial data is transmitted via email.

Security headers

All responses from EZ Ledgr include the following security headers enforced at the edge via Vercel:

Strict-Transport-Security — HSTS with 2-year max-age and preload, forcing HTTPS on all connections
Content-Security-Policy — restricts which scripts, styles, and connections the browser may load
X-Frame-Options: DENY — prevents clickjacking attacks
X-Content-Type-Options: nosniff — prevents MIME-type sniffing
Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
Permissions-Policy — disables camera, microphone, and other unused browser APIs

3. Encryption

All data handled by EZ Ledgr is encrypted both in transit and at rest. We do not store or transmit sensitive financial data in plaintext under any circumstances.

Data	In Transit	At Rest	Status
Consumer financial data (Plaid)	TLS 1.3	AES-256 (Supabase / AWS RDS)	Active
User account data	TLS 1.3	AES-256 (Supabase)	Active
Session tokens / JWTs	TLS 1.3 (HTTPS only)	Signed + encrypted by Supabase Auth	Active
API keys & secrets	N/A (server-side only)	Environment variables — never in source code	Active
Backups	N/A	AES-256 (Supabase automated backups)	Active

TLS policy

Minimum TLS 1.2 enforced; TLS 1.3 preferred and negotiated by default
TLS 1.0 and 1.1 disabled on all endpoints
All HTTP requests automatically redirected to HTTPS
Certificates auto-renewed via Vercel's managed certificate infrastructure

4. Access Control & MFA

Consumer-facing authentication

All user accounts are protected with email and password authentication via Supabase Auth
Two-factor authentication (2FA / TOTP) is available to all users from account settings
2FA is required before connecting any bank account — users without 2FA enabled are directed to enable it before Plaid Link opens
Explicit user consent is obtained and logged (with timestamp) before any financial data is accessed via Plaid

Internal access controls

All production systems (Supabase, Vercel, GitHub) require MFA for every team member
Database access is controlled via Supabase Row-Level Security (RLS) — each user can only access their own data
No direct database access from the browser — all queries go through authenticated server-side API routes
API keys and service credentials are stored in environment variables, never committed to source code
Access to production systems is limited to the engineering team on a need-to-know basis

Plaid financial data specifically: Access to the Plaid integration and stored financial data is restricted to authenticated requests scoped to the individual user's account. No cross-account data access is possible by design due to RLS enforcement at the database layer.

5. Financial Data (Plaid)

EZ Ledgr uses Plaid Technologies, Inc. to enable bank account connectivity. Plaid is a leading financial data network used by thousands of financial applications. Here is how the integration is secured:

Read-only access: Plaid provides read-only access to transaction and balance data. We cannot and do not initiate transfers or modify your accounts.
Credentials never touch our servers: Your bank login credentials are entered directly into Plaid's interface and never transmitted to or stored by EZ Ledgr.
Explicit consent required: Users see a clear disclosure of exactly what data will be accessed before connecting any account. Consent is logged with a timestamp.
MFA gate: Two-factor authentication must be verified before Plaid Link is presented to the user.
Revocable at any time: Users can disconnect their bank account from Settings at any time, which revokes EZ Ledgr's access token.
Data minimization: We request only the data scopes required for bookkeeping — transactions, balances, and account identifiers.

Plaid's own security and privacy practices are described in Plaid's End User Privacy Policy and their security documentation.

6. Vulnerability Management

Dependency scanning

GitHub Dependabot is enabled on the repository — automated alerts and pull requests for vulnerable dependencies
All third-party packages are reviewed before adoption
Security patches are applied promptly based on severity (critical within 24 hours, high within 7 days)

Code security

Source code is hosted on GitHub with branch protection rules on the main branch
All production deployments go through Vercel's build pipeline — no direct server access
Secrets are managed via environment variables; secret scanning is enabled on the repository

Patching SLAs

CRITICAL

Critical (CVSS 9–10)

24-hour remediation target. Immediate notification to security team.

HIGH

High (CVSS 7–8.9)

7-day remediation target. Tracked as priority issue.

MEDIUM

Medium (CVSS 4–6.9)

30-day remediation target. Assigned to engineering backlog.

LOW

Low (CVSS 0.1–3.9)

90-day remediation target. Tracked in security log.

7. Incident Response

Scalable Innovations LLC maintains an incident response process for security events affecting user data or platform availability.

Detection: Security events are identified via platform monitoring, user reports, or third-party notifications
Containment: Affected systems are isolated and access revoked as appropriate within hours of confirmed incident
Notification: Affected users are notified by email within 72 hours of a confirmed data breach, in accordance with applicable law
Post-incident review: All significant incidents result in a written post-mortem and remediation plan

To report a suspected security incident or breach, contact security@scalable-innovations.com immediately. Include as much detail as possible about what you observed.

8. Compliance & Auditing

EZ Ledgr is built on infrastructure from providers with strong compliance certifications. Our security practices are aligned with the following frameworks:

SOC 2 (via Supabase)

Supabase is SOC 2 Type II certified. Database infrastructure, access controls, and availability are covered under their certification.

SOC 2 (via Vercel)

Vercel is SOC 2 Type II certified. Application hosting, deployment pipelines, and edge network security are covered.

Plaid Compliance

EZ Ledgr is completing Plaid's security questionnaire. Our security practices are designed to meet Plaid's requirements for applications using their financial data APIs.

GLBA Alignment

As a platform handling consumer financial data, our policies are aligned with the Gramm-Leach-Bliley Act safeguards rule requirements.

Audit logging

All Plaid consent grants are logged with user ID and timestamp
Authentication events (sign-in, MFA verification, password changes) are logged by Supabase Auth
Application logs are retained for 90 days then automatically purged

9. Employee Security

All team members complete security awareness training upon onboarding
MFA is required on all accounts with access to production systems — Supabase, Vercel, GitHub, and cloud infrastructure
Access to production systems follows the principle of least privilege — team members receive only the minimum access required for their role
All team members operate under a security and confidentiality agreement
Access is revoked within 24 hours of a team member's departure

10. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities from the security research community. If you have discovered a potential security issue in EZ Ledgr, please report it to us before making it public.

How to report a vulnerability

1Email a description of the vulnerability to security@scalable-innovations.com
2Include steps to reproduce, potential impact, and any relevant screenshots or proof-of-concept
3We will acknowledge your report within 2 business days
4We will provide a resolution timeline based on severity within 7 days
5We ask that you allow us reasonable time to remediate before public disclosure

We do not currently offer a bug bounty program, but we genuinely appreciate responsible disclosures and will acknowledge researchers who help improve our security.

Scope

In-scope for vulnerability reports:

Authentication and authorization vulnerabilities on ezledgr.com
Data exposure or cross-account access vulnerabilities
Injection attacks (SQL, XSS, CSRF) on any EZ Ledgr endpoint
Security misconfigurations affecting user data