Security Practices
FundlyHub protects your data through multiple layers of security controls spanning infrastructure, application, development, and monitoring.
Infrastructure Security
Hosted on AWS with VPC network isolation — all backend services run in private subnets.
Data encrypted at rest using AES-256 (AWS-managed keys) across all storage services.
All data in transit secured with TLS 1.2+ — enforced at CloudFront, ALB, and database layers.
Database access restricted to private subnet — no public endpoint exposure.
Security groups follow least-privilege networking rules.
Automated backups with 1-hour Recovery Point Objective (RPO) and 4-hour Recovery Time Objective (RTO).
Application Security
Role-Based Access Control (RBAC) enforces least-privilege access across all application endpoints.
Authentication powered by AWS Cognito with multi-factor authentication (MFA) support.
Auth Risk Engine monitors and rate-limits suspicious login patterns automatically.
Server-side ownership derivation ensures users can only access their own resources (Trust Gates).
All API inputs validated with strict schema enforcement.
Payment processing handled by Stripe (PCI DSS Level 1) — no card data touches our servers.
Development Security
All code changes require Pull Requests with CI checks passing before merge.
Branch protection prevents direct pushes to production branches.
Automated dependency vulnerability scanning (Dependabot) on every build.
Container images scanned for vulnerabilities on every push to ECR.
TypeScript strict mode enforced — no implicit any types.
Secrets managed via AWS — never committed to source control.
Monitoring & Incident Response
Real-time application error monitoring via Sentry with instant alerting.
AWS CloudWatch monitors infrastructure metrics, logs, and health continuously.
Structured incident response process with defined severity levels (P1–P4).
Quarterly restore testing validates backup and recovery procedures.
Security incidents documented with root cause analysis and remediation tracking.
Data Protection
Data classified into 4 tiers (Restricted → Public) with handling rules per tier.
PCI compliance via Stripe Elements — SAQ-A eligible. No cardholder data stored.
Personal data access logged and auditable.
Quarterly access reviews verify all user privileges remain appropriate.
Vendor data processing agreements (DPAs) in place for all critical subprocessors.