Financial Data Security Policy

1. Overview

KinKeep integrates with Plaid Inc. (“Plaid”) to enable caregivers to monitor financial activity on behalf of senior family members. This policy describes the technical and organizational safeguards KinKeep applies to financial data obtained through Plaid, the lifecycle of that data, and the rights you retain over it.

This policy supplements our Privacy Policy and Terms of Use. In the event of a conflict, this policy governs with respect to financial data obtained through Plaid.

2. Scope

This policy applies to all financial data that KinKeep obtains, processes, or stores through its Plaid integration, including:

• Bank account metadata (institution name, account type, last four digits)
• Transaction history (up to 90 days)
• Derived data such as subscription detection results and fraud analysis alerts
• Plaid access tokens and item identifiers

3. How KinKeep Uses Plaid

KinKeep uses a single Plaid product: Transactions. This grants read-only access to transaction history and account metadata. KinKeep does not use Plaid products that enable money movement, identity verification, or balance checks.

The integration flow works as follows:

1. Link initiation:KinKeep requests a temporary Link token from Plaid. Your bank credentials are entered directly in Plaid’s hosted interface and are never transmitted to or visible to KinKeep.
2. Token exchange: After you authenticate with your bank, Plaid returns a one-time public token. KinKeep exchanges this for a persistent access token, which is immediately encrypted before storage.
3. Transaction sync: KinKeep uses the encrypted access token to periodically fetch transaction data from Plaid. Transactions are stored in our database and used for subscription detection and fraud alerting.

4. Financial Data Collected

When you connect a bank account through Plaid, KinKeep collects and stores:

• Account metadata: Institution name, account type (checking, savings, credit, etc.), account subtype, and the last four digits of the account number.
• Transaction data: Transaction ID, amount, date, merchant name, category, and pending status for the most recent 90 days.
• Connection metadata: Plaid item ID, connection status, and last sync timestamp.

KinKeep does not collect or store:

• Bank login credentials (usernames or passwords)
• Full account numbers or routing numbers
• Account balances
• Investment holdings or positions
• Identity documents or social security numbers

5. Credential & Token Handling

KinKeep never receives, processes, or stores your bank login credentials. All credential entry occurs within Plaid’s PCI-compliant hosted Link interface.

Plaid access tokens — the persistent credentials used to fetch transaction data — are handled as follows:

• Encrypted immediately upon receipt, before being written to the database.
• Decrypted only in-memory at the moment of a Plaid API call, and never logged or cached in plaintext.
• Never exposed to client-side code, browser storage, or API responses.
• Never shared with third parties.

Plaid API credentials (client ID and secret) are stored as environment variables in our hosting provider’s encrypted secrets manager and are never committed to source code or exposed to the client.

6. Encryption Standards

KinKeep applies encryption at multiple layers:

• In transit: All communication between KinKeep, Plaid, and your browser uses TLS 1.2 or higher.
• At rest: The database is encrypted at rest using AES-256 via our infrastructure provider.
• Application-level: Plaid access tokens are encrypted with AES-256-GCM using a dedicated encryption key before database storage, providing an additional layer of protection beyond infrastructure-level encryption.

7. Authentication & Session Security

KinKeep requires authentication before any financial data or Plaid Link is accessible. The following controls are in place:

• Password security: All passwords are hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored or logged.
• Session management: Sessions are issued as HTTP-only, secure JWT cookies with a 7-day expiry. Tokens are signed with a minimum 256-bit secret and include a version field to support immediate session invalidation.
• Brute-force protection: Sign-in endpoints are rate-limited both per-IP (5 attempts per minute) and per-account (10 attempts per 15 minutes) to prevent credential stuffing.
• Security headers: All responses include HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options headers.

KinKeep does not currently require multi-factor authentication (MFA) for consumer accounts. MFA is on our security roadmap and will be implemented as the platform matures. Administrative access to infrastructure and production systems requires MFA.

8. Access Control

Access to financial data within KinKeep is restricted by role-based permissions:

• Only authenticated caregivers who own or have been invited to a senior profile can view that profile’s financial data.
• All financial data API endpoints require authentication and verify profile ownership before returning data.
• API endpoints that interact with Plaid are rate-limited to prevent abuse (10 requests per 60-second window per user).
• Administrative database access is restricted to essential personnel and requires multi-factor authentication.

9. Vulnerability Management

KinKeep maintains an active vulnerability management program to detect and remediate security issues across the application and its dependencies:

• Dependency scanning: Automated dependency audits are performed regularly using npm audit and GitHub Dependabot to identify and patch known vulnerabilities in third-party packages.
• Code review: All code changes undergo peer review before being merged into the production branch.
• Secure development practices: The development team follows OWASP guidelines to prevent common vulnerabilities including injection attacks, cross-site scripting (XSS), and broken authentication.
• Infrastructure patching: Our hosting provider (Vercel) and database provider apply security patches to managed infrastructure on an ongoing basis.

10. Consumer Consent & Privacy

KinKeep obtains explicit, informed consent from users before collecting, processing, or storing any personal or financial data:

• Registration consent: During account creation, users must affirmatively agree to the Terms of Use and Privacy Policy via a consent checkbox. Accounts cannot be created without this consent.
• Financial data consent: Connecting a bank account through Plaid requires an explicit, user-initiated action. Users authenticate directly with their bank through Plaid’s hosted interface, providing informed consent at the point of connection.
• Re-consent: When privacy or terms documents are updated, users are prompted to review and re-consent before continuing to use the application. All consent events are recorded in an append-only audit log.
• Cookie consent: A cookie consent banner is displayed to all visitors, allowing them to accept or reject non-essential cookies.
• SMS consent: SMS notifications require separate opt-in consent.

KinKeep’s Privacy Policy is publicly available at trykinkeep.com/privacy and describes in detail what data is collected, how it is used, and the rights users have over their data.

11. Data Retention & Deletion

Financial data is retained for as long as the associated bank account connection is active and the senior profile exists. When data is deleted, the following procedures apply:

• Account disconnection: When a caregiver disconnects a bank account, the Plaid access token is revoked via the Plaid API and deleted from our database. Historical transaction data associated with that account is also deleted.
• Senior profile deletion: All financial accounts, transactions, and derived data (subscriptions, alerts) associated with the profile are deleted.
• User account deletion: A 30-day grace period applies. After 30 days, all associated data — including Plaid tokens, financial accounts, and transactions — is permanently and irreversibly deleted.

Transaction data is synced on a rolling 90-day window. Older transactions are not re-fetched once they fall outside this window.

12. Environment Controls

KinKeep maintains separate Plaid environments for development and production:

• Sandbox: Used for development and automated testing. Uses Plaid’s synthetic test data — no real financial data is involved.
• Development: Used for integration testing with real bank connections but limited data access.
• Production: Used for live user connections. Production API credentials are isolated from development credentials and stored in a separate secrets manager.

Plaid API credentials are never shared across environments. Promotion from development to production requires review and approval.

13. Incident Response

In the event of a suspected or confirmed security incident involving financial data, KinKeep will:

1. Contain: Immediately revoke affected Plaid access tokens and disable compromised API credentials.
2. Investigate: Determine the scope and root cause of the incident using application logs and audit trails.
3. Notify: Inform affected users within 72 hours of confirmation, consistent with applicable breach notification laws (including GDPR and state-level requirements).
4. Remediate: Rotate all Plaid credentials, patch the underlying vulnerability, and update security controls as needed.
5. Report: File required regulatory notifications and cooperate with Plaid’s security team as applicable.

Security incidents can be reported to security@trykinkeep.com.

14. Plaid’s Security Posture

Plaid Inc. maintains its own comprehensive security program. Key elements include:

• SOC 2 Type II certification, audited annually.
• Data encrypted in transit and at rest across all Plaid systems.
• PCI DSS compliance for handling payment card data.
• Regular penetration testing and vulnerability assessments.

For details on Plaid’s security practices, visit plaid.com/security. KinKeep is responsible for its own security controls and does not make representations about Plaid’s security beyond what Plaid publicly discloses.

15. Your Rights

You retain full control over your financial data connections:

• Disconnect at any time: You can disconnect any bank account from KinKeep’s dashboard settings, which revokes the Plaid token and deletes stored data.
• Data export: You can export all stored financial data via your account settings.
• Revoke via Plaid: You can also revoke KinKeep’s access directly through Plaid’s consumer portal at my.plaid.com.
• Request deletion: You may request deletion of all financial data by contacting legal@trykinkeep.com.

16. Contact

For questions about this policy or KinKeep’s handling of financial data:

• Email: security@trykinkeep.com
• For privacy-related requests: legal@trykinkeep.com