// security first
Information Security Policy
Last updated: July 2026 | Version 1.0
Governance & Risk Management
The Stalnaker Group maintains a documented information security policy aligned with NIST Cybersecurity Framework. Our security program is actively implemented throughout our organization with executive oversight and regular governance reviews.
Security Contact: security@stalnakergroup.com
Identity & Access Management
- • Multi-Factor Authentication: Hardware security keys (YubiKey) or authenticator apps (Google Authenticator) required for all critical systems
- • Consumer MFA: Multi-factor authentication required before accessing financial data or Plaid Link integration
- • Access Controls: Role-based access with principle of least privilege for production assets
- • Access Reviews: Quarterly access reviews completed within 5 business days
- • Background Screening: Comprehensive background checks for all team members with system access
- • Session Management: 30-minute session timeout with automatic logout
Infrastructure & Network Security
- • Cloud Infrastructure: AWS deployment with multi-region availability (US-East-1, US-West-2)
- • Encryption in Transit: TLS 1.3 enforced with HSTS headers for all client-server communications
- • Encryption at Rest: AWS KMS with AES-256 for consumer financial data and sensitive information
- • Network Security: AWS security groups, VPC segmentation, and Web Application Firewall (WAF)
- • DDoS Protection: AWS Shield Standard and Advanced protection for all publicly accessible endpoints
Development & Vulnerability Management
- • Vulnerability Scanning: Weekly automated scans with 72-hour remediation SLA for critical vulnerabilities
- • Dependency Management: Snyk and Dependabot integrated in CI/CD with automated blocking of high-severity vulnerabilities
- • Secure Development: OWASP Top 10 compliance, mandatory code reviews, and pre-commit security checks
- • Patch Management: Critical security patches applied within 48 hours of release
- • Penetration Testing: Annual third-party security assessments with reports available upon request
Privacy & Data Protection
- • Privacy Policy: Comprehensive policy at /privacy-policy covering all data practices
- • Consumer Consent: Explicit opt-in consent obtained before collection, processing, or storage of consumer data
- • Data Retention: Financial data retained for 7 years, client data retained per contract terms, reviewed quarterly
- • Data Deletion: Secure deletion via AWS Certificate Manager within 30 days of request or retention expiry
- • Data Minimization: Collection limited to data necessary for stated purposes only
Incident Response & Monitoring
- • Incident Response Plan: Documented procedures for detection, containment, eradication, and recovery
- • Response SLAs: Initial triage within 1 hour, critical incidents escalated within 4 hours
- • Customer Notification: Confirmed breaches communicated to affected customers within 72 hours
- • Monitoring: 24/7 security monitoring and alerting for critical systems processing financial data
- • Post-Incident Analysis: Root cause analysis completed within 5 business days with documented remediation
Data Resilience & Business Continuity
- • Backup Strategy: Daily automated backups with 30-day retention
- • Disaster Recovery: Tested recovery procedures (RTO: 4 hours, RPO: 1 hour)
- • Geographic Redundancy: Multi-region data storage
- • Business Continuity: Regular testing and updating of continuity plans
Third-Party Risk Management
- • Vendor Assessment: Security evaluation for all third-party services
- • Supply Chain: Monitoring and regular reviews of critical vendors
- • Data Processing Agreements: Standard agreements with all service providers
Compliance & Standards
- • Framework Alignment: NIST Cybersecurity Framework and CIS Controls implementation
- • Financial Data: Practices aligned with GLBA and applicable financial services regulations
- • Documentation: Complete security documentation available for compliance review
- • Third-Party Review: Security assessments and documentation available for qualified partners
Security Documentation & Contact
We provide comprehensive security documentation for compliance reviews and partner assessments. Available documentation includes our complete Information Security Policy, Incident Response Plan, and technical security controls documentation.