No Guilt Money is committed to protecting the security of your financial data. This page describes our security practices, architecture, and compliance posture.
Security Status
TLS 1.2+ encryption in transit
✓ Enforced
Database SSL connections required
✓ Enforced
Passwords hashed with bcrypt
✓ Cost factor 12
JWT authentication on all API endpoints
✓ Active
TOTP two-factor authentication
✓ Available
Rate limiting on auth endpoints
✓ Active
Security headers (HSTS, CSP, X-Frame-Options)
✓ Enforced via CloudFront
Audit logging on all sensitive actions
✓ Active
Plaid integration (read-only bank data)
✓ Sandbox
Information Security Policy
Scope
This policy applies to all systems, personnel, and third-party services involved in the operation of No Guilt Money, including AWS infrastructure, database systems, and external API integrations.
Access Control
All user access requires authenticated JWT tokens (30-day expiry)
Role-based access: admin and member roles
API keys and secrets are stored as environment variables in AWS Lambda — never in code or version control
AWS IAM follows least-privilege principle: each service role has only the permissions it requires
Database access is restricted to application-tier Lambda functions; no direct public database access
Multi-factor authentication is enforced for all administrative AWS access
Zero Trust Architecture
Every API request requires a valid JWT — there are no implicit trust relationships between services
Database connections are authenticated with credentials per request; no persistent privileged connections
Plaid access tokens are scoped to read-only balance data only
Gmail OAuth tokens use minimum required scopes (gmail.readonly)
CloudFront enforces HTTPS-only access; HTTP requests are redirected
Data Classification
Highly Sensitive: Password hashes, TOTP secrets, bank access tokens, Plaid item IDs — encrypted at rest, never logged
Sensitive: Email addresses, account balances, bill amounts — accessible only to authenticated account owner
Internal: Audit logs, system metrics — accessible to admins only
Vulnerability Management
Dependency Scanning
npm audit is run before every production deployment to identify known vulnerabilities in dependencies
Dependencies are reviewed and updated on a monthly cadence
Critical vulnerabilities (CVSS ≥ 9.0) are patched within 24 hours of identification
High vulnerabilities (CVSS 7.0–8.9) are patched within 7 days
Medium/Low vulnerabilities are addressed in the next scheduled update cycle (monthly)
EOL Software Policy
Node.js runtime is kept on LTS versions only; EOL versions are not used in production
AWS Lambda runtime versions are reviewed quarterly and updated before EOL
PostgreSQL major version is reviewed annually; upgrades are planned before vendor EOL
Patching SLA
Severity
CVSS Score
Patch SLA
Critical
9.0–10.0
24 hours
High
7.0–8.9
7 days
Medium
4.0–6.9
30 days
Low
0.1–3.9
90 days
Identity & Access Management
User accounts are managed via the Mayday API with bcrypt-hashed passwords
TOTP-based two-factor authentication is supported and encouraged for all users
Sessions expire after 30 days; users can log out to invalidate their session immediately
Password reset is handled via secure temporary password delivered through a verified notification channel
User accounts can be deactivated immediately by admins; deactivated accounts cannot log in
When a user's access is terminated (account deletion), all linked bank accounts and email tokens are revoked within 24 hours
Access Reviews
User accounts and API integrations are reviewed quarterly. Inactive accounts (no login in 90 days) are flagged for review and may be deactivated.
Incident Response
Detection
All authentication events are logged with IP address and timestamp
Failed login attempts trigger rate limiting after 5 attempts per 15 minutes
Anomalous access patterns trigger Telegram alerts to administrators
Response
Security incidents are classified and responded to within 4 hours of detection
Affected users are notified within 72 hours of a confirmed breach (in compliance with applicable law)
Plaid is notified immediately if we detect unauthorized access to banking data
Consumer-Facing Application Security
The No Guilt Money application supports TOTP-based multi-factor authentication
MFA is available in Settings and is actively encouraged during onboarding
Authentication tokens use short-lived JWT with 30-day expiry
HTTPS is enforced on all connections — no HTTP access permitted
Responsible Disclosure
If you discover a security vulnerability in No Guilt Money, please report it to security@noguilt.money. We will acknowledge receipt within 24 hours and work to address valid vulnerabilities promptly.