Security at Phinly

Last updated: July 2025

Our Security Commitment

At Phinly, we understand that trust is earned through consistent action. As a financial technology platform, we implement comprehensive security measures to protect your financial data and personal information. We believe in transparency about our security practices and continuously work to improve our defenses.

Infrastructure & Hosting

Edge Computing & CDN

• All web applications hosted on Vercel's edge network for optimal performance and security
• Cloudflare proxy protection providing DDoS mitigation and Web Application Firewall (WAF)
• Automatic SSL/TLS certificate management and renewal
• Global content delivery network for reduced latency

Cloud Infrastructure

• Backend services hosted on Google Cloud Platform (GCP) within secure Virtual Private Cloud (VPC)
• Cloud Run for serverless, auto-scaling container deployment
• Cloud SQL for managed PostgreSQL database with automatic backups
• Strict TLS connections enforced across all services
• Network isolation between services for defense in depth

Data Protection & Encryption

In Transit

• All data transmitted using TLS 1.3 encryption minimum
• Certificate validation for all API communications
• Secure WebSocket connections for real-time features
• HTTPS-only communication with HSTS enforcement

At Rest

• Database encryption using Google Cloud's encryption-at-rest
• Sensitive data fields marked for future field-level encryption implementation
• Secure key management through environment variables
• Regular security reviews of data storage practices

Authentication & Access Control

Advanced Authentication System

• Custom OAuth 2.0 authorization server with PKCE (Proof Key for Code Exchange)
• JWT-based access tokens with 30-minute expiration
• Refresh token rotation with 14-day validity
• Multi-factor authentication (MFA) support:
  • SMS-based OTP (One-Time Password) via Twilio
  • TOTP (Time-based OTP) authenticator app support
• Device tracking and IP address monitoring for suspicious activity detection

Session Management

• Secure session handling with NextAuth.js
• Automatic token refresh with retry logic and exponential backoff
• Session timeout and re-authentication for sensitive operations
• Cross-site request forgery (CSRF) protection

Password Security

• Minimum 8-character password requirement
• Password reset tokens with 20-minute expiration
• Prevention of password reuse
• Account lockout after multiple failed attempts

API Security

Rate Limiting & Protection

• API rate limiting (100 requests per minute per user)
• Request validation using JSON Schema
• Role-based access control (RBAC) for API endpoints
• Comprehensive input sanitization and validation

OAuth Implementation

• Industry-standard OAuth 2.0 flows
• Support for Authorization Code flow with PKCE
• Client credentials flow for machine-to-machine communication
• Secure redirect URI validation

Financial Data Security

Open Banking Integration

• Secure integration with Basiq for Australian financial institutions
• Plaid integration for international accounts
• Read-only access to financial data
• No storage of banking credentials
• Unique provider user IDs for each Phinly user
• OAuth state parameters for CSRF protection

Cryptocurrency Integration

• Support for secure API key authentication
• Multiple signature methods (HMAC-SHA256, SHA512, Ed25519)
• Secure handling of exchange API credentials

Security Monitoring & Logging

Comprehensive Logging

• Structured logging with correlation IDs for request tracing
• Google Cloud Platform-compatible severity levels
• Sensitive data redaction in logs
• Audit trails for security-relevant events

Monitoring & Alerting

• Real-time monitoring of security events
• Automated alerting for suspicious activities
• Performance monitoring for availability
• Regular security metric reviews

Development Security

Secure Development Practices

• TypeScript for type safety and reduced runtime errors
• Strict mode enforcement across all codebases
• Prisma ORM for SQL injection prevention
• Environment variable validation using Zod schemas
• Code reviews for all changes

Dependency Management

• Regular dependency updates
• Monorepo structure for consistent security policies
• NPM package lock files for reproducible builds
• Separation of development and production dependencies

Third-Party Security

Vendor Security

• Careful selection of security-conscious vendors
• Regular review of third-party dependencies
• Secure API integration practices
• Minimal data sharing with external services

Service Providers

• Vercel for secure edge hosting
• Cloudflare for DDoS protection
• Google Cloud Platform for infrastructure
• Twilio for secure SMS delivery
• SendGrid for transactional emails

Privacy & Compliance

Data Minimization

• Collection of only necessary data for service provision
• User control over data sharing preferences
• Clear data retention policies
• Right to data deletion

Regulatory Alignment

• Designed with Australian Privacy Principles (APP) in mind
• Consumer Data Right (CDR) considerations
• GDPR-compliant data handling practices
• Transparent privacy policies

Incident Response

Response Procedures

• Defined incident response plan
• Rapid containment procedures
• User notification protocols
• Post-incident analysis and improvement

Business Continuity

• Regular automated backups
• Disaster recovery procedures
• Service redundancy across regions
• Graceful degradation strategies

Continuous Improvement

Security Reviews

• Regular code security reviews
• Infrastructure security assessments
• Third-party dependency audits
• Security architecture evolution

Future Enhancements

We are continuously working to enhance our security posture:

• Implementation of field-level encryption for sensitive data
• Migration to stronger password hashing algorithms
• Enhanced webhook security with signature verification
• Expanded security testing automation
• Advanced threat detection capabilities

Security Reporting

If you discover a security vulnerability, please report it responsibly to help us keep Phinly secure for everyone.

• Email: [email protected]
• Response Time: Within 24 hours for security reports
• Scope: Security vulnerabilities, data protection concerns, compliance questions

We take all security reports seriously and will work with you to address any concerns promptly and professionally. We appreciate the security research community's efforts in helping us maintain a secure platform.

Transparency Commitment

We believe in being transparent about our security practices. This page will be updated regularly as we implement new security measures and enhance existing ones. Your trust is paramount to us, and we're committed to earning and maintaining it through robust security practices and open communication.