Pocket Piggy - Information Security Policy

Confidential

1. Purpose & Scope

This document defines the information security practices for Pocket Piggy, a personal finance mobile application. It covers all systems, data, and processes involved in the development, deployment, and operation of the application and its supporting infrastructure.

Pocket Piggy is a privacy-first application. Its core security principle is: financial data never leaves the user's device. All transaction data, budget information, and spending history is stored locally in AES-256 encrypted storage. Server-side infrastructure handles authentication, subscription management, and optional AI-powered features only.

2. Application Architecture

Layer	Technology	Security Measures
Mobile Client	Flutter (Dart)	AES-256 encrypted local storage (Hive), biometric lock, certificate pinning
Authentication	Firebase Auth	Email verification, Google OAuth 2.0, Apple Sign-In, session management
Backend Functions	Firebase Cloud Functions (Node.js 20)	HTTPS-only, authenticated endpoints, environment variable secrets
Database	Cloud Firestore	Security rules, encrypted at rest (Google-managed), non-financial data only
Bank Sync	Plaid API v26	Server-side token exchange only, access tokens never stored on device
Payments	RevenueCat	No direct payment processing; delegated to App Store / Play Store
AI Services	OpenAI GPT-4o (via Cloud Functions)	Server-side only, no PII sent, vendor/category data only
Hosting	Google Cloud Platform (Firebase)	SOC 2, ISO 27001 certified infrastructure

3. Data Classification

3.1 Data Categories

Classification	Data Types	Storage Location	Encryption
HIGH Financial	Transactions, budgets, account balances, spending history	Device only (Hive)	AES-256-CBC
HIGH Credentials	Plaid access tokens, API keys	Server only (Firebase env)	Google KMS
Medium — Profile	Name, email, preferences, gamification progress	Cloud Firestore	At rest (Google-managed)
Low — Analytics	Feature usage events (no PII)	Firebase Analytics	At rest (Google-managed)

3.2 Data Flow — Plaid Integration

User initiates bank linking via Plaid Link SDK (native, on-device)
Plaid returns a public_token to the device
Device sends public_token to Firebase Cloud Function over HTTPS
Cloud Function exchanges it for an access_token via Plaid API (server-to-server)
access_token stored server-side in Firestore (encrypted at rest) — never sent to device
Transaction data fetched server-side, returned to device, stored in encrypted Hive box
On device deletion or account deletion, local encrypted data is wiped

4. Encryption Standards

Context	Method	Key Management
Local financial data	AES-256-CBC (Hive encrypted boxes)	Per-user key generated at first launch, stored in platform secure storage (Android Keystore / iOS Keychain)
Data in transit	TLS 1.2+ (HTTPS)	Firebase-managed certificates
Firestore at rest	AES-256	Google Cloud KMS (automatic)
Cloud Function secrets	Environment variables	Firebase project-level access control

5. Authentication & Access Control

5.1 User Authentication

Firebase Authentication with email/password and Google OAuth 2.0
Email verification required before full access
Optional biometric lock (Face ID / fingerprint) for app re-entry
Session tokens managed by Firebase SDK with automatic refresh

5.2 Infrastructure Access

System	Access Control	Who Has Access
Firebase Console	Google account with 2FA	Owner only
Plaid Dashboard	Account with 2FA	Owner only
RevenueCat Dashboard	Account with 2FA	Owner only
GitHub Repository	Private repo, SSH keys	Owner only
Google Play Console	Google account with 2FA	Owner only
Apple Developer Account	Apple ID with 2FA	Owner only

5.3 Firestore Security Rules

Users can only read/write their own documents (request.auth.uid == resource.data.userId)
Cloud Functions use admin SDK for cross-user operations (webhook handlers)
No public read/write access to any collection

6. Third-Party Integrations

Provider	Purpose	Data Shared	Compliance
Plaid	Bank account linking & transaction fetch	Access tokens (server-side only)	SOC 2 Type II, ISO 27001
Firebase / GCP	Auth, database, cloud functions, analytics	User profiles, non-financial data	SOC 2, ISO 27001, FedRAMP
RevenueCat	Subscription management	Anonymous user ID, purchase receipts	SOC 2 Type II
OpenAI	AI categorization & tips	Vendor names only (no PII, no amounts)	SOC 2 Type II
exchangerate.host	Currency exchange rates	None (public API, no auth)	N/A

7. Vulnerability Management

Dependencies: Flutter and Node.js dependencies reviewed for known vulnerabilities using flutter pub outdated and npm audit
Static analysis: flutter analyze run before each release to catch code quality and security issues
Code review: All changes reviewed before merge to main branch
Platform updates: Flutter SDK and Firebase dependencies kept current with stable channel releases
No direct SQL/NoSQL queries: All database access through Firebase SDK (prevents injection)

8. Incident Response

8.1 Detection

Firebase Crashlytics monitors application crashes and errors in real-time
Cloud Function error logging via Google Cloud Logging
Plaid webhook monitoring for unauthorized access attempts
RevenueCat webhook monitoring for subscription anomalies

8.2 Response Procedure

Severity	Example	Response Time	Action
Critical	Plaid token compromise, data breach	Immediate	Revoke tokens, notify Plaid, notify affected users, rotate secrets
High	Firebase rules misconfiguration, API key exposure	< 4 hours	Fix configuration, rotate keys, audit access logs
Medium	Dependency vulnerability (CVE)	< 48 hours	Update dependency, test, deploy patch
Low	Non-critical bug, UI issue	Next release cycle	Fix and deploy in next update

9. Data Retention & Deletion

Local data: Persists until user deletes the app or explicitly deletes their account via in-app settings
Firestore data: Deleted when user requests account deletion (cascading delete of all subcollections)
Plaid connection: Access token revoked on account deletion via Plaid API
Analytics data: Retained per Firebase Analytics default retention (14 months, anonymized)
Cloud Function logs: Retained per Google Cloud default (30 days)

10. Privacy Practices

Financial data stored exclusively on-device in AES-256 encrypted storage
No financial data transmitted to or stored on any server
No advertising SDKs or third-party tracking
No data sold or shared with third parties
AI categorization uses vendor names only — no account numbers, no balances, no PII
Users can export or delete all their data at any time
Privacy policy available in-app and at published URL

11. Physical Security

Pocket Piggy has no on-premise infrastructure. All server-side components run on Google Cloud Platform (Firebase), which maintains physical security controls including:

SOC 2 Type II certified data centers
24/7 security monitoring, biometric access controls
Redundant power, cooling, and network infrastructure
Geographic redundancy across multiple availability zones

Development is conducted on encrypted devices with full-disk encryption and biometric/password lock.

12. Policy Review

This policy is reviewed and updated at minimum annually, or whenever significant changes are made to the application architecture, third-party integrations, or data handling practices.