WHERE MY MONEY WENT
Last Updated: February 7, 2026

Security Security

Security is at the core of everything we do. We employ industry-leading standards to protect your data.

1

Security Overview

Our security program is built on industry-leading standards and best practices. We employ a defense-in-depth strategy with multiple layers of security controls to protect your data.

  • Security by Design: Integrated into every aspect of our platform.
  • Zero Trust Architecture: We verify every access request.
  • Continuous Monitoring: 24/7 security monitoring and threat detection.
  • Regular Testing: Ongoing security assessments.
  • Compliance First: Adherence to industry standards.
2

Data Encryption

2.1 Encryption in Transit

All data transmitted between your browser/application and our servers is encrypted using TLS 1.3 (AES-256-GCM).

2.2 Encryption at Rest

All customer data stored on our servers is encrypted at rest using AES-256 encryption via AWS KMS.

3

Infrastructure Security

Our infrastructure is hosted on Amazon Web Services (AWS), which holds SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. We utilize multi-layered firewalls, DDoS protection (Cloudflare), and strict network segmentation.

4

Application Security

  • Secure Development Lifecycle: Security is integrated into all phases of development.
  • Vulnerability Management: Automated daily scans and annual penetration testing.
  • Secure Coding Practices: Input validation, output encoding, and CSRF protection.
  • API Security: OAuth 2.0, rate limiting, and strict input validation.
5

Access Controls

We enforce strict access controls including:

  • Multi-Factor Authentication (MFA): Recommended for all users, required for admins.
  • Single Sign-On (SSO): Available on Enterprise plans (SAML 2.0).
  • Role-Based Access Control (RBAC): Granular permissions for different user roles.
6

Monitoring and Incident Response

We maintain 24/7 security monitoring with real-time alerts. Our Incident Response Plan ensures rapid reaction to any security events, with customer notification within 72 hours of a confirmed breach as required by GDPR.

7

Data Protection

We adhere to data minimization principles and ensure customer data is physically and logically isolated.

  • Backups: Encrypted backups every 6 hours with 30-day retention.
  • Disaster Recovery: RPO of 6 hours, RTO of 4 hours.
  • Deletion: Data is securely wiped within 90 days of account closure.
8

Compliance and Certifications

We are committed to maintaining the highest standards of compliance:

  • SOC 2 Type II: In progress (Q1 2026).
  • GDPR: Fully compliant.
  • CCPA: Fully compliant.
  • PCI DSS: Payment processing via Stripe (Level 1 Service Provider).
9

Reporting Security Vulnerabilities

We welcome responsible disclosure. If you find a vulnerability, please report it to security@wheremymoneywent.cloud.

We commit to acknowledging receipt within 24 hours and fixing critical vulnerabilities within 48 hours.

10

Contact Security Team

For security inquiries, vulnerability reports, or incident reporting:

Where My Money Went Security Team

Email: security@wheremymoneywent.cloud

Related Legal Documents

Terms of Service
Read Document
Privacy Policy
Read Document
Cookie Policy
Read Document