RPTrainor

Security Policy

Information Security

Information Security Policy

RPTrainor is committed to protecting the confidentiality, integrity, and availability of client financial data. This policy documents our security controls, practices, and incident response procedures.

Effective date: April 9, 2026 | Reviewed and updated continuously.

Encryption standards

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 encryption via Cloudflare D1.
  • API authentication credentials (Plaid, Twilio, Anthropic) are stored as encrypted Cloudflare Worker secrets, never in source code or configuration files.
  • Database connections are encrypted end-to-end within Cloudflare's network.

Access controls

  • Administrative access to production systems is restricted to authorized personnel and protected by strong authentication.
  • API endpoints are secured with authentication tokens and validated on every request.
  • Plaid access tokens are stored encrypted and scoped to the minimum permissions required.
  • End-user data access is isolated per user through Cloudflare Durable Objects, ensuring no cross-user data leakage.
  • Third-party service provider access (Plaid, Anthropic, Twilio) is limited to the minimum data necessary to perform their function.

Cloud Infrastructure

Infrastructure security

  • Application infrastructure is hosted entirely on Cloudflare's global network, benefiting from Cloudflare's enterprise-grade security, DDoS protection, and SOC 2 Type II compliance.
  • Cloudflare Workers run in an isolated V8 runtime with no shared memory or filesystem between requests.
  • Cloudflare D1 (SQLite-based database) provides encrypted storage with automatic backups.
  • Cloudflare Durable Objects provide strongly consistent, per-user state isolation.
  • No self-managed servers, operating systems, or network infrastructure to patch or maintain.

Data handling and minimization

  • Financial data retrieved via Plaid is stored only in Cloudflare D1 with encryption at rest.
  • Data sent to Anthropic's Claude API for analysis is transmitted over encrypted channels and is not retained by Anthropic for model training.
  • Only the minimum data necessary for each operation is transmitted to third-party service providers.
  • End-user financial credentials are never stored by RPTrainor; authentication with financial institutions is handled entirely by Plaid.
  • Plaid access tokens are the only persistent connection data stored, and these can be revoked by the end user at any time.

Monitoring and logging

  • Application errors and anomalies are monitored via Sentry, with real-time alerting.
  • User activity and system events are tracked via PostHog analytics for operational insight.
  • All API requests are logged for audit purposes.
  • Suspected security incidents are investigated immediately and affected users are notified within 72 hours of confirmation.

Incident Response

Security incident response plan

In the event of a suspected or confirmed security incident involving end-user data, RPTrainor follows this response procedure:

  1. Identify and contain the incident to prevent further unauthorized access.
  2. Assess the scope and impact, including which data and users are affected.
  3. Notify affected end users and relevant authorities within 72 hours of confirmation, as required by applicable law.
  4. Remediate the root cause and implement controls to prevent recurrence.
  5. Document the incident, response actions, and lessons learned.

To report a security concern, contact us at ryan@rptrainor.com .

Third-party vendor security

All third-party service providers are evaluated for security practices and compliance certifications before integration.

Cloudflare

SOC 2 Type II, ISO 27001, PCI DSS Level 1, FedRAMP

Plaid

SOC 2 Type II, ISO 27001, annual penetration testing

Anthropic

SOC 2 Type II, data processing agreements, no training on API data

Twilio

SOC 2 Type II, ISO 27001, HIPAA eligible

Vulnerability management

  • Dependencies are monitored for known vulnerabilities and updated promptly.
  • Application code is reviewed prior to deployment to production.
  • Cloudflare's managed infrastructure eliminates the need for OS-level patching.
  • Security-related findings are prioritized and remediated based on severity.

Patch management SLA

Identified vulnerabilities are remediated according to the following service level targets based on severity:

  • Critical (CVSS 9.0+): Patched or mitigated within 24 hours of discovery.
  • High (CVSS 7.0–8.9): Patched within 72 hours of discovery.
  • Medium (CVSS 4.0–6.9): Patched within 30 days.
  • Low (CVSS 0.1–3.9): Addressed in the next scheduled maintenance cycle.

Compliance

RPTrainor's security practices are designed to align with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, Plaid's Developer Policy, and industry best practices for handling financial data.

Policy Review

This policy is reviewed and updated as the platform evolves, new services are integrated, or regulatory requirements change. Material changes are documented with an updated effective date.

Contact

For security-related questions, concerns, or to report a vulnerability, contact:

Ryan Trainor, Founder & CEO
ryan@rptrainor.com

What gets measured gets managed.