Security Policy

1. Our Commitment to Security

At Fiacore, security is not just a feature—it's fundamental to everything we do. We understand that you're trusting us with sensitive financial information, and we take that responsibility seriously.

This Security Policy outlines the measures we implement to protect your data, in compliance with UK GDPR Article 32 (Security of Processing) and industry best practices.

2. Data Encryption

2.1 Encryption at Rest

All personal data stored in our database is encrypted using industry-standard algorithms:

• AES-256-GCM: All personally identifiable information (PII) is encrypted using 256-bit Advanced Encryption Standard with Galois/Counter Mode
• Deterministic Encryption: Email addresses use deterministic encryption, allowing secure lookups while maintaining protection
• Random IV Encryption: Sensitive fields like phone numbers, names, and device information use random initialization vectors for maximum security
• Key Management: Encryption keys are stored separately from data with strict access controls

2.2 Encryption in Transit

• TLS 1.3: All data transmitted between your browser and our servers is encrypted using Transport Layer Security
• HTTPS Only: We enforce HTTPS on all pages with HSTS headers
• Certificate Transparency: Our SSL certificates are logged for transparency and security

2.3 IP Address Hashing

For GDPR-compliant logging, we hash IP addresses using SHA-256. This allows security monitoring without storing reversible personal data.

3. Authentication Security

3.1 Password Protection

• Passwords are hashed using Werkzeug's PBKDF2 with strong salting
• We never store plaintext passwords
• Password strength requirements enforce minimum security standards

3.2 Two-Factor Authentication (2FA)

• Optional but strongly recommended for all accounts
• Email-based OTP verification
• Time-limited codes with automatic expiration

3.3 Session Security

• Server-Side Sessions: Sessions stored in PostgreSQL, not in cookies
• Session Regeneration: New session ID generated on login to prevent fixation attacks
• Automatic Timeout: Sessions expire after periods of inactivity
• Single-Device Sessions: Option to invalidate other sessions

4. Application Security

4.1 OWASP Compliance

We follow the OWASP Top 10 2024 guidelines to protect against common vulnerabilities:

• Injection Prevention: Parameterized queries and ORM usage prevent SQL injection
• XSS Protection: Content Security Policy headers and output encoding
• CSRF Protection: Token-based protection on all state-changing requests
• Broken Authentication: Rate limiting and account lockout after failed attempts
• Security Misconfiguration: Regular security audits and hardened configurations

4.2 Input Validation

• All user input is validated and sanitized
• File uploads are restricted to safe types and scanned
• API endpoints validate request formats and data types

5. Infrastructure Security

5.1 Server Security

• Hosted on secure, monitored infrastructure
• Regular security patches and updates
• Firewall protection and intrusion detection
• DDoS protection and mitigation

5.2 Database Security

• Encrypted database connections
• Role-based access control
• Regular automated backups
• Point-in-time recovery capability

6. Access Control

• Principle of Least Privilege: Access granted only as needed
• Role-Based Access Control: Different permission levels for users and administrators
• Audit Logging: All administrative actions are logged and monitored
• Regular Access Reviews: Periodic review and removal of unnecessary access

7. Incident Response

7.1 Our Response Plan

In the event of a security incident, we have a documented response plan that includes:

1. Detection: Continuous monitoring for suspicious activity
2. Containment: Immediate steps to limit impact
3. Investigation: Thorough analysis of the incident
4. Notification: Affected users notified within 72 hours as required by GDPR
5. Recovery: Restoration of normal operations
6. Review: Post-incident analysis and improvements

7.2 Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

8. Your Security Responsibilities

Help us keep your account secure:

• Use a strong, unique password for your Fiacore account
• Enable two-factor authentication
• Keep your email account secure (it's used for recovery)
• Log out when using shared or public computers
• Report any suspicious activity immediately
• Keep your devices and browsers updated

9. Compliance & Certifications

• UK GDPR: Compliant with Article 32 (Security of Processing)
• Data Protection Act 2018: Aligned with UK data protection requirements
• ICO Guidance: Following Information Commissioner's Office recommendations
• OWASP: Application security aligned with OWASP standards

10. Updates to This Policy

We regularly review and update our security measures. This policy will be updated to reflect significant changes in our security practices.