Security Policy

• Hosting: HostFi is hosted on Vercel, which maintains SOC 2 Type II compliance, provides enterprise-grade DDoS protection, Web Application Firewall (WAF), and automatic SSL/TLS certificate management.
• Database: All application data is stored in Supabase (built on PostgreSQL), which maintains SOC 2 Type II compliance with data centers in the United States.
• CDN & Edge: All traffic is served through Vercel's global edge network with automatic HTTPS enforcement. HTTP Strict Transport Security (HSTS) is enabled.

• In Transit: All data transmitted between your browser and HostFi is encrypted using TLS 1.2 or higher. API calls to third-party services (Plaid, PMS integrations) are also encrypted via TLS.
• At Rest: All database data is encrypted at rest using AES-256 encryption, managed by our infrastructure provider (Supabase/AWS).
• Credentials: Third-party integration credentials (OAuth tokens, API keys) are stored encrypted in the database and are never exposed to the client-side application.

• User Authentication: Managed through Supabase Auth with bcrypt password hashing, secure session tokens, and support for Google OAuth single sign-on.
• Row Level Security (RLS): PostgreSQL Row Level Security policies are enforced at the database level, ensuring users can only access their own data. Every query is scoped to the authenticated user — cross-user data access is architecturally impossible.
• API Security: All API endpoints enforce server-side authentication via secure session validation. Unauthenticated requests are rejected before any data access occurs.
• OAuth Integrations: Third-party connections (Google, Slack, OwnerRez) use industry-standard OAuth 2.0 flows. HostFi never sees or stores third-party passwords.

• Plaid Integration: Bank account connectivity is powered by Plaid, a SOC 2 Type II certified financial data platform. HostFi never has access to your bank login credentials — Plaid handles all bank authentication directly.
• Minimal Data Collection: We only store transaction data necessary for expense matching and tax categorization. We do not store full bank account numbers, routing numbers, or bank login credentials.
• No Data Selling: Your financial data is never sold, shared with, or disclosed to third parties for marketing or advertising purposes. Period.
• Data Retention: You can disconnect integrations and delete your data at any time from your dashboard settings.

• Logging: Application errors, authentication events, and security-relevant actions are logged and monitored.
• Infrastructure Monitoring: Uptime, performance, and security events are monitored through Vercel and Supabase's built-in observability tools.
• Incident Response: In the event of a security incident, affected users will be notified promptly via email with details of the incident and recommended actions.

If you discover a security vulnerability in HostFi, please report it responsibly by emailing security@hostfi.ai. We take all reports seriously and will respond within 48 hours.

• Vendor Compliance: Our core infrastructure providers (Vercel, Supabase, Plaid, Stripe) all maintain SOC 2 Type II certifications and undergo regular third-party security audits.
• Payment Processing: All payment processing is handled by Stripe (PCI DSS Level 1 certified). HostFi never stores credit card numbers or payment credentials.
• Policy Reviews: Security policies and practices are reviewed and updated on an ongoing basis as the company and threat landscape evolve.