Information security — Side

Last updated: May 16, 2026 · Operator: McCunes Edible Spoons LLC · Contact: sidebudget@gmail.com

1. Purpose & scope

This describes how we protect Side (the budgeting app), our API, and sites under *.sidebudget.app. It complements our Privacy policy and is maintained for transparency and partner questionnaires—not as legal advice.

2. Roles & access

Access to production systems (hosting, database dashboards, payment and bank partner consoles) is limited to those who operate Side. Production secrets live only in managed hosting configuration (for example Google Cloud Run environment variables), not in the mobile app bundle. Administrative tools are not shipped with production secrets exposed to end users.

User data in our database is protected with row-level access controls so authenticated clients can read and write only their own records. Highly sensitive fields (such as encrypted bank connection tokens) are stored in server-only tables that are not exposed to client API keys. Development and production use separate credentials and environments where feasible.

3. Authentication for consumers

Accounts support strong passwords and email verification. Users may enable optional authenticator-based MFA (TOTP). When MFA is enabled, we step up verification before sensitive app use where our providers require it.

4. Data & encryption

• In transit: Clients use HTTPS/TLS (TLS 1.2+) to reach Side’s APIs and trusted providers.
• Bank connectivity: Connection flows use industry-standard providers (such as Plaid). Sensitive tokens needed for ongoing sync are handled server-side and encrypted at rest using AES-256-GCM where stored in our database.
• At providers: Supabase, Plaid, Stripe, RevenueCat, and cloud hosts apply their own encryption and access controls under their terms.

5. Logging & monitoring

We aim to log only what we need to operate and debug issues. Production logs must not contain passwords, raw tokens, or full payment payloads. Incoming webhooks from partners (including Plaid) are verified before processing where those partners provide a verification mechanism. Certain webhook deliveries may be retained in audit tables for troubleshooting and replay detection.

6. Development & dependency hygiene

Changes ship through version control. We apply dependency updates and reviews as part of ongoing maintenance. We do not claim enterprise-grade continuous penetration testing unless separately documented.

7. Incident response

Suspected security issues: email sidebudget@gmail.com. We will investigate, contain where feasible, and notify affected users when required by law.

8. Vendors

We rely on subprocessors—including hosting (Google Cloud), authentication/database (Supabase), bank connectivity (Plaid), payments (Stripe, Apple App Store, Google Play where applicable), subscriptions (RevenueCat), and push (Expo)—under their published terms and security programs.

9. Retention & deletion

Aligns with our Privacy policy. Users may request account deletion by contacting us.

10. Policy review

We review this policy at least annually or when security practices change materially.