The Stalnaker Group
// security first

Information Security Policy

Last updated: July 2026 | Version 1.0

Governance & Risk Management

The Stalnaker Group maintains a documented information security policy aligned with NIST Cybersecurity Framework. Our security program is actively implemented throughout our organization with executive oversight and regular governance reviews.

Security Contact: security@stalnakergroup.com

Identity & Access Management

  • Multi-Factor Authentication: Hardware security keys (YubiKey) or authenticator apps (Google Authenticator) required for all critical systems
  • Consumer MFA: Multi-factor authentication required before accessing financial data or Plaid Link integration
  • Access Controls: Role-based access with principle of least privilege for production assets
  • Access Reviews: Quarterly access reviews completed within 5 business days
  • Background Screening: Comprehensive background checks for all team members with system access
  • Session Management: 30-minute session timeout with automatic logout

Infrastructure & Network Security

  • Cloud Infrastructure: AWS deployment with multi-region availability (US-East-1, US-West-2)
  • Encryption in Transit: TLS 1.3 enforced with HSTS headers for all client-server communications
  • Encryption at Rest: AWS KMS with AES-256 for consumer financial data and sensitive information
  • Network Security: AWS security groups, VPC segmentation, and Web Application Firewall (WAF)
  • DDoS Protection: AWS Shield Standard and Advanced protection for all publicly accessible endpoints

Development & Vulnerability Management

  • Vulnerability Scanning: Weekly automated scans with 72-hour remediation SLA for critical vulnerabilities
  • Dependency Management: Snyk and Dependabot integrated in CI/CD with automated blocking of high-severity vulnerabilities
  • Secure Development: OWASP Top 10 compliance, mandatory code reviews, and pre-commit security checks
  • Patch Management: Critical security patches applied within 48 hours of release
  • Penetration Testing: Annual third-party security assessments with reports available upon request

Privacy & Data Protection

  • Privacy Policy: Comprehensive policy at /privacy-policy covering all data practices
  • Consumer Consent: Explicit opt-in consent obtained before collection, processing, or storage of consumer data
  • Data Retention: Financial data retained for 7 years, client data retained per contract terms, reviewed quarterly
  • Data Deletion: Secure deletion via AWS Certificate Manager within 30 days of request or retention expiry
  • Data Minimization: Collection limited to data necessary for stated purposes only

Incident Response & Monitoring

  • Incident Response Plan: Documented procedures for detection, containment, eradication, and recovery
  • Response SLAs: Initial triage within 1 hour, critical incidents escalated within 4 hours
  • Customer Notification: Confirmed breaches communicated to affected customers within 72 hours
  • Monitoring: 24/7 security monitoring and alerting for critical systems processing financial data
  • Post-Incident Analysis: Root cause analysis completed within 5 business days with documented remediation

Data Resilience & Business Continuity

  • Backup Strategy: Daily automated backups with 30-day retention
  • Disaster Recovery: Tested recovery procedures (RTO: 4 hours, RPO: 1 hour)
  • Geographic Redundancy: Multi-region data storage
  • Business Continuity: Regular testing and updating of continuity plans

Third-Party Risk Management

  • Vendor Assessment: Security evaluation for all third-party services
  • Supply Chain: Monitoring and regular reviews of critical vendors
  • Data Processing Agreements: Standard agreements with all service providers

Compliance & Standards

  • Framework Alignment: NIST Cybersecurity Framework and CIS Controls implementation
  • Financial Data: Practices aligned with GLBA and applicable financial services regulations
  • Documentation: Complete security documentation available for compliance review
  • Third-Party Review: Security assessments and documentation available for qualified partners

Security Documentation & Contact

We provide comprehensive security documentation for compliance reviews and partner assessments. Available documentation includes our complete Information Security Policy, Incident Response Plan, and technical security controls documentation.