Security Policy

How we protect what we build.

Last updated: April 2026

Security is part of how we build software, not a checkbox we add at the end. This document describes the controls we apply to our own infrastructure and the controls we make available to clients during an engagement. It is also our responsible-disclosure policy for security researchers.

1. Scope

This policy applies to:

  • Our own infrastructure — the website, our internal tooling, and any service operated under the Investment Fidelity Company LLC name.
  • Code we ship to clients — the controls described here are what we bring into a client engagement by default. Specific engagements may layer additional or stricter controls per the executed agreement.
  • Open-source libraries we maintain — vulnerability handling for our public Go libraries.

2. Controls we apply by default

Encryption

  • TLS 1.2 or higher on all public endpoints, with HSTS preloading where applicable.
  • Data encrypted at rest (AES-256 or stronger) on managed cloud storage and managed databases.
  • Application-level encryption for sensitive fields where the threat model warrants it (PII, financial credentials, secrets).

Authentication and access

  • Multi-factor authentication mandatory for all engineers on all production-adjacent accounts.
  • WebAuthn/FIDO2 (hardware security keys, biometric credentials) preferred over TOTP where supported.
  • Least-privilege IAM. Production access is gated by purpose and duration. Standing root credentials are not used for routine work.
  • Session management with device tracking and remote-revocation capability on the systems we ship for clients.

Secrets and credentials

  • No plaintext credentials in version control. Pre-commit hooks scan for accidental leakage.
  • Secrets stored in managed key stores (AWS Secrets Manager, AWS KMS, equivalent client systems). Application code reads at runtime.
  • Credential rotation policies on a per-engagement basis, written into runbooks, not relied on as institutional memory.

Software supply chain

  • Dependencies pinned and reviewed. Dependency upgrades go through CI and code review like any other change.
  • Automated vulnerability scanning of dependencies (npm audit, Go govulncheck, equivalent for client stacks) integrated into CI.
  • Signed and reproducible builds where the deployment platform supports them.
  • SBOM generation available on request for client engagements.

Network and platform

  • Production workloads run inside private subnets behind managed firewalls. Public ingress is restricted to known endpoints with WAF protection.
  • Inter-service communication authenticated and authorized — no implicit trust between services in the same VPC.
  • Audit logging on production data stores and on all administrative actions, retained per engagement requirements.

Application security

  • Standard input validation and output encoding to mitigate the OWASP Top 10 categories — injection, XSS, broken access control, etc.
  • CSRF protection on browser-served write endpoints; rate limiting on authentication and other abuse-sensitive endpoints.
  • Idempotency keys on transaction-mutating APIs (especially payments) so retries cannot double-charge or double-write.
  • Comprehensive structured logging that captures security-relevant events without logging secrets or PII.

3. Payments-specific controls

Where we ship payment processing, additional controls apply:

  • PCI scope reduction. Cardholder data is tokenized at the earliest possible boundary — typically at the processor or hosted-iframe layer. Our internal services do not store or process unmasked PANs.
  • Idempotency. Every transaction-mutating call carries an idempotency key. Retries are safe by construction.
  • Webhook signature verification. Webhooks from Stripe, FreedomPay, Dwolla, and similar providers are signature-verified before any business logic runs.
  • Reconciliation. Scheduled reconciliation jobs catch divergence between processor records and our own ledger; exceptions escalate to operators.

4. Personnel security

  • Background checks on engineers handling client production access where required by the engagement.
  • Confidentiality and IP-assignment provisions in all employment and contractor agreements.
  • Mandatory security awareness training, refreshed annually.

5. Incident response

If a security incident is suspected on our systems or on a system we operate for a client:

  1. The on-call engineer initiates the incident response runbook.
  2. Affected client (if applicable) is notified within 24 hours of confirmation, or sooner per executed agreement.
  3. Containment, eradication, and recovery are executed against the runbook.
  4. A written post-incident report is delivered within 7 days of resolution. The report covers root cause, blast radius, remediation, and prevention.

6. Responsible disclosure

If you've identified a security vulnerability in any property operated by Investment Fidelity Company LLC — including the website, our open-source libraries, or a system we operate for a client — we want to hear from you.

  • Email: security@investmentfidelity.company (preferred for all security disclosures).
  • Please include reproduction steps, affected URLs or endpoints, and any proof-of-concept payloads.
  • Do not publicly disclose the vulnerability before we've had a reasonable chance to remediate. We will acknowledge receipt within 2 business days and provide a remediation timeline within 5.
  • We do not currently operate a paid bug-bounty program, but we publicly credit researchers who report responsibly.

7. Compliance posture

Investment Fidelity Company LLC is not, by itself, certified to any specific compliance framework (SOC 2, ISO 27001, etc.). We build to the controls those frameworks require, and we have shipped systems for clients who are themselves audited under those frameworks. If your engagement requires us to operate within a specific compliance perimeter — PCI, HIPAA, GDPR data-processor obligations, others — that is in scope and is captured in the executed agreement.

8. Updates to this policy

We revise this policy as our practices and applicable standards evolve. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated to active client engagements directly.

9. Contact

Security disclosures, audit-evidence requests, or vendor-due-diligence questionnaires:

Postal mail — registered legal address:

Investment Fidelity Company LLC
16557 Canyon Ln
Canyon Country, CA 91387
United States

Postal mail — operations address:

Investment Fidelity Company LLC
Clearwater, FL
United States