Security at Incremenza

Security is fundamental to everything we build at Incremenza. This page outlines the comprehensive security measures we implement to protect your financial data, business information, and privacy.

1. Data Encryption

1.1 Encryption in Transit

• TLS 1.2+: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher
• HTTPS Everywhere: Our entire platform is served exclusively over HTTPS - unencrypted HTTP connections are not permitted
• API Security: All API requests to third-party integrations (Stripe, Plaid, QuickBooks, Square, PayPal) use encrypted connections
• Certificate Management: We use industry-standard SSL/TLS certificates with automatic renewal to prevent expiration

1.2 Encryption at Rest

• Database Encryption: All database storage uses encryption at rest on our hosting infrastructure
• OAuth Token Encryption: Access tokens and refresh tokens for connected integrations (Plaid, QuickBooks, Stripe, Square, PayPal) are encrypted using Laravel's application-level encryption with AES-256-CBC encryption
• Encrypted Backups: Database backups are encrypted and stored in geographically separate locations
• No Plain Text Credentials: Passwords are hashed using bcrypt (industry-standard one-way hashing algorithm) - we never store passwords in plain text or reversible encryption

1.3 Payment Card Data

• PCI DSS Compliance: Payment card data is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor
• No Card Storage: Incremenza never stores full credit card numbers, CVV codes, or unencrypted card data
• Tokenization: Card information is tokenized by Stripe - we store only non-sensitive tokens
• Last 4 Digits Only: We display only the last 4 digits of cards for user reference

2. Authentication and Access Control

2.1 User Authentication

• Secure Password Requirements: Passwords must meet minimum complexity requirements (minimum 8 characters, combination of letters and numbers recommended)
• Bcrypt Hashing: Passwords are hashed using bcrypt with a cost factor of 12 (computational difficulty that prevents brute-force attacks)
• Session Management: Secure, httpOnly cookies with strict same-site policies prevent session hijacking and CSRF attacks
• Session Timeout: Sessions expire after periods of inactivity for security
• Account Lockout: Repeated failed login attempts trigger temporary account lockout to prevent brute-force attacks

2.2 Multi-Tenant Data Isolation

• Company-Level Scoping: All data is strictly scoped to individual companies - users can only access data belonging to their organization
• Global Query Scopes: Automatic filtering at the database query level ensures cross-company data leakage is architecturally impossible
• Authorization Checks: Every controller action verifies the user has permission to access the requested resource
• Route Model Binding: Security checks are built into our routing layer to prevent unauthorized access

2.3 Role-Based Access Control (RBAC)

• Admin Role: Full access to all company data, settings, billing, and team management
• Manager Role: Access to financial data, reporting, and team member management (cannot modify billing or delete account)
• User Role: Read-only access to dashboards and reports (cannot modify data or settings)
• Least Privilege Principle: Users are granted the minimum permissions necessary for their role

3. Third-Party Integration Security

3.1 OAuth 2.0 Authorization

• Industry Standard: All financial integrations use OAuth 2.0 - you never share passwords with Incremenza
• Granular Permissions: We request only the minimum permissions necessary (e.g., read-only access to transactions)
• User Control: You authorize each integration directly with the provider (Plaid, QuickBooks, Stripe, Square, PayPal)
• Token Encryption: OAuth access and refresh tokens are encrypted at rest in our database
• State Verification: OAuth flows use cryptographic state parameters to prevent CSRF attacks

3.2 Integration Disconnect

• Easy Revocation: Disconnect integrations at any time through your account settings
• Immediate Token Revocation: When you disconnect, we immediately revoke OAuth tokens with the provider's API
• Historical Data Retention: Transaction data from disconnected integrations is retained for business continuity (deleted only when you close your account)
• Audit Trail: All disconnect events are logged with user attribution and timestamp

3.3 Webhook Security

• Signature Verification: All incoming webhooks from payment providers are cryptographically verified using webhook signing secrets
• Idempotency: Duplicate webhook events are automatically detected and ignored
• IP Whitelisting: Webhook endpoints accept requests only from verified provider IP addresses where applicable

4. Infrastructure Security

4.1 Hosting and Cloud Security

• Cloud Provider: Hosted on DigitalOcean's secure infrastructure via Laravel Forge managed services
• Data Center Location: Primary servers located in San Francisco 2 region (United States)
• Physical Security: DigitalOcean data centers employ 24/7 security, biometric access controls, and video surveillance
• Network Isolation: Application servers are isolated in private networks with restricted external access

4.2 Database Security

• Managed Database: MySQL database hosted on secure, managed infrastructure
• Access Restrictions: Database accessible only from application servers via private network - no public internet access
• Credential Rotation: Database credentials are rotated periodically and stored securely
• Automated Backups: Daily automated backups with point-in-time recovery capability
• Redundant Storage: Two separate backup copies maintained in geographically distinct locations
• Backup Encryption: All backups are encrypted at rest

4.3 Application Security

• Security Patches: Regular updates to Laravel framework, PHP, and all dependencies to patch known vulnerabilities
• Dependency Scanning: Automated scanning for known security vulnerabilities in third-party packages
• Input Validation: All user input is validated and sanitized to prevent injection attacks
• SQL Injection Prevention: Parameterized queries and ORM (Eloquent) prevent SQL injection attacks
• XSS Protection: Automatic HTML escaping in templates prevents cross-site scripting attacks
• CSRF Protection: All form submissions require valid CSRF tokens

5. Monitoring and Incident Response

5.1 Security Monitoring

• Error Tracking: Sentry monitors application errors and exceptions in real-time
• Sensitive Data Scrubbing: Error logs automatically redact OAuth tokens, credit card numbers, and other sensitive data before transmission to monitoring services
• Audit Logging: Critical actions (user deletions, integration disconnects, permission changes) are logged with user attribution
• Anomaly Detection: Unusual access patterns or failed authentication attempts trigger alerts

5.2 Incident Response

• Security Incident Plan: Documented procedures for responding to security incidents
• Breach Notification: In the event of a data breach affecting your information, we will notify you within 72 hours as required by law
• Mitigation: Immediate action to contain and remediate security incidents
• Post-Incident Review: Root cause analysis and implementation of preventive measures after incidents

5.3 Uptime and Availability

• Target Uptime: 99.9% uptime (excluding planned maintenance)
• Health Monitoring: Automated monitoring of system health and integration connectivity
• Redundancy: Database replication and backup systems for disaster recovery
• Maintenance Windows: Planned maintenance is scheduled during off-peak hours with advance notice

6. AI and Data Processing Security

6.1 Google Gemini AI Integration

• Paid API Tier: We use Google's paid Gemini AI tier, which means your data is not used to train Google's AI models
• Data Minimization: Only necessary data is sent to the AI service (merchant names for categorization, aggregated financial summaries for insights)
• PII Removal: Before sending merchant names to AI, we automatically strip personally identifiable information (addresses, phone numbers, location details)
• Encrypted Transmission: All API calls to Gemini use TLS encryption
• No Long-Term Storage: Google does not retain your data beyond the duration of the API request

6.2 Transaction Classification

• Multi-Tier Classification: Transactions are classified using (1) exact merchant matches, (2) learned patterns, (3) fuzzy matching, and (4) AI as last resort
• Reduced AI Usage: Our intelligent classification system reduces AI API calls by 60-75%, minimizing data sent to third parties
• Local Caching: Classification results are cached locally to avoid redundant AI calls for known merchants

7. Compliance and Certifications

7.1 Current Compliance

• GDPR Ready: Data Processing Addendum (DPA) available for EU customers with Standard Contractual Clauses (SCCs)
• CCPA Compliant: California Consumer Privacy Act compliance for California residents
• PCI DSS (via Stripe): Payment card processing through Stripe (PCI DSS Level 1 certified)
• OAuth 2.0 Compliance: Industry-standard authorization framework for all financial integrations

7.2 Future Certifications (Roadmap)

• SOC 2 Type II: Planned for enterprise customer requirements (external audit of security controls)
• ISO 27001: Information security management system certification (for international expansion)

8. Employee Access and Training

8.1 Internal Access Controls

• Minimal Access: Incremenza employees have access only to systems necessary for their role
• Customer Data Access: Customer financial data is accessed only when necessary for support requests (with explicit permission)
• Audit Trails: All employee access to production systems is logged and monitored
• Background Checks: Employees with access to customer data undergo background checks

8.2 Security Training

• Onboarding: All employees receive security awareness training during onboarding
• Ongoing Education: Regular training on security best practices, data privacy, and incident response
• Phishing Awareness: Training to recognize and report phishing attempts and social engineering attacks

9. Your Security Responsibilities

While we implement comprehensive security measures, you play a critical role in protecting your account:

• Strong Passwords: Use unique, complex passwords for your Incremenza account
• Password Management: Never share your password or store it insecurely
• Device Security: Ensure devices used to access Incremenza are secure and up-to-date
• Phishing Awareness: Be cautious of emails requesting login credentials or sensitive information
• User Management: Promptly deactivate users who leave your organization
• Report Incidents: Notify us immediately of suspected security incidents or unauthorized access
• Regular Reviews: Periodically review connected integrations and team member access

10. Reporting Security Issues

10.1 Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

• Email: [email protected]
• Provide detailed description of the vulnerability
• Include steps to reproduce the issue
• Allow us reasonable time to investigate and remediate before public disclosure

10.2 Scope

We welcome reports of genuine security vulnerabilities. Please do not:

• Access or modify other users' data without permission
• Perform destructive tests (denial of service, data deletion, etc.)
• Use social engineering or phishing against Incremenza employees
• Publicly disclose vulnerabilities before we've had time to fix them

11. Security Updates

This Security page is reviewed and updated regularly to reflect our current practices. Material changes will be announced via email and in-app notifications.

12. Questions and Contact

For security-related questions or concerns: