Ours.
TermsPrivacySecurity

Last updated: December 30, 2025

Information Security Policy

We employ bank-level security measures to ensure your financial data remains private and protected. This policy outlines our rigorous standards for data protection and operational security at Ours.

Data Encryption

Industry-standard TLS 1.2+ and AES-256 encryption.

Strong Auth

Mandatory MFA/2FA for all critical accounts.

Data Isolation

PostgreSQL Row-Level Security (RLS) enforcement.

SUMMARY OF KEY POINTS

This summary provides key highlights of our security posture. You can find more details by using our table of contents to jump to specific sections.

How is data protected?

All data is encrypted in transit and at rest using industry-standard protocols. We utilize Supabase and Vercel's robust infrastructure.

Who can access my data?

Access is strictly limited through Row-Level Security (RLS). Each household is isolated, ensuring you only see your own data.

Is there 2FA support?

Yes. Multi-Factor Authentication (MFA) is available and encouraged for all users through our identity provider, Clerk.

How do you handle updates?

We use a secure CI/CD pipeline with automated testing and peer reviews to ensure only high-quality, secure code is deployed.

Questions or security concerns? .

1. GOVERNANCE & RISK MANAGEMENT

Policy Statement

Ours. is committed to protecting the confidentiality, integrity, and availability of all data, including customer, employee, and proprietary information. This policy establishes the framework for our operational information security program, which identifies, mitigates, and monitors information security risks across all relevant business operations.

Compliance & Certifications

We maintain high security standards through audited and compliant infrastructure providers:

  • Physical Security: As a cloud-native organization, the physical security of data centers is the responsibility of our audited, compliant infrastructure providers (Vercel and Supabase).
  • Third-Party Audits: We rely on SOC 2 Type 2 reports and security attestations provided by Clerk (Authentication), Vercel (Hosting), and Supabase (Database).

2. HOSTING & INFRASTRUCTURE SECURITY

Hosting Strategy

All server-side components, APIs, and data services are hosted on off-premise, highly-managed, and secure cloud infrastructure. This strategy utilizes the robust security controls of our chosen providers:

  • Vercel: DDoS mitigation, Web Application Firewall (WAF), and Edge Caching.
  • Supabase: Managed PostgreSQL, Row-Level Security (RLS) enforcement, and managed backups.

Data Protection & Encryption

  • Data in Transit: All connections are encrypted using TLS 1.2 or higher.
  • Data at Rest: All customer data and backups are encrypted using AES-256 encryption.

3. ASSET MANAGEMENT

Endpoint Visibility

We maintain continuous visibility into two categories of endpoints:

  • Production Network: Visibility is maintained through platform-native logging and monitoring tools.
  • Corporate Endpoints: All devices must be company-owned and managed by an EDR/MDM solution.

Vulnerability Management

We operate a continuous vulnerability management program to ensure platform safety:

  • Production Code: Static Application Security Testing (SAST) and Dependency Scanning are enforced.
  • Corporate Machines: Mandatory patching SLA enforced for critical updates within 7 days.

4. ACCESS CONTROLS

Principle of Least Privilege

Access to all production assets, cloud platforms, and sensitive data is governed by a formal process:

  • Request & Approval: Documented approval required based on job function.
  • Granting Access: Native Role-Based Access Control (RBAC) features utilized.
  • Revocation: Immediate revocation upon termination or change of function.

Strong Authentication

Multi-Factor Authentication (MFA/2FA) is mandatory for all critical accounts, including administrative access and user application access.

5. CHANGE CONTROLS (CI/CD PIPELINE)

Release Process

All code changes follow a standardized Gitflow-based process with mandatory peer reviews and automated testing before deployment to production.

Testing & Quality Gates

Every release must pass through several security and quality checkpoints:

  • Automated Testing: PRs must pass unit and integration tests.
  • Static Analysis: SAST and dependency scanning are performed on all changes.

6. CRYPTOGRAPHY

All communication and data storage utilize strong encryption standards. Vercel enforces mandatory HTTPS/TLS 1.2+ for all connections, while all Supabase database connections are secured using TLS/SSL encryption and AES-256 volume encryption.

7. LOGGING AND MONITORING

We maintain robust, centralized, and non-modifiable audit logs for all security and operational events. Logs are retained for a minimum of 90 days. We maintain 24/7 monitoring and alerting for security, performance, and availability impacting events in production.

8. INCIDENT MANAGEMENT & NETWORK

Incident Response

We maintain a documented Incident Response Plan (IRP) triaged by the CTO/Security Lead, detailing steps for containment, eradication, and recovery.

Network Segmentation

Our production network is logically segmented. The database is strictly controlled via a single API gateway which enforces security policies (RLS) and requires JWT authentication.

9. COMPLIANCE, HR, AND VENDOR MANAGEMENT

We integrate security into our organizational culture and third-party relationships:

  • Security Training: Annual security awareness training is mandatory for all personnel.
  • Vendor Management: Formal risk assessment performed before engaging any vendor handling sensitive data.
  • Independent Testing: Annual application-layer penetration testing performed by independent third parties.
  • HR Security: Mandatory background checks for personnel with production access.

10. DATA PRIVACY AND USAGE

Data Minimization

We adhere to the principle of Data Minimization. Data is retained only for the length of the business relationship or as required by law.

Account Deletion and Data Removal

When users delete their accounts, we automatically initiate complete data deletion within 30 days. This process includes:

  • Secure deletion of all personal and financial data
  • Cryptographic erasure of database records
  • Removal of associated files and backups
  • Verification of complete data removal

Exceptions include anonymized NPS survey responses and feedback submissions retained solely for product improvement.

Usage Policy

Data obtained via integrations is used solely for providing requested services and is never sold, leased, or shared for marketing purposes.

Ready to start budgeting together securely?