Compliance
The Minimum Viable Secure Product checklist is an industry baseline maintained by Google, Okta, Salesforce, and Slack. It defines 25 security controls that enterprise buyers evaluate first. Our only remaining gap requires a paid third-party penetration test.
Regulatory & Compliance Frameworks
Abundera addresses 10 regulatory frameworks across financial services, data protection, health data, payments, and AI governance. Click any framework below to jump to its detailed assessment.
| Framework | Scope | Status | Key Documents |
|---|---|---|---|
| MVSP | Security baseline (25 controls) | 24/25 Met | Security overview |
| GLBA | U.S. financial privacy (Safeguards Rule) | Compliant | Financial Privacy Notice |
| GDPR | EU data protection regulation | Aligned | Privacy Policy, DPA |
| CCPA/CPRA | California consumer privacy | Compliant | Privacy Policy |
| HIPAA | Health data safeguards | Equivalent | Available upon request |
| PCI DSS | Payment card security | SAQ A | Via Stripe |
| E-SIGN Act | Electronic communications consent | Compliant | Terms of Service |
| DORA | EU digital operational resilience | Aligned | Available upon request |
| EU AI Act | AI system regulation | Aligned | Available upon request |
| SOC 2 | Trust service criteria audit | Aligned | Security overview |
Supporting legal documents: Terms of Service · Privacy Policy · Data Processing Agreement · Security Overview. Internal compliance documentation (WISP, DPIA, ROPA, data retention policy, incident response plan, risk register, vendor assessments) is available upon request to enterprise customers and auditors at security@abundera.ai.
MVSP Control Details
Business Controls
| Control | Status | Notes |
|---|---|---|
| 1.1 Vulnerability reports | Met | security@abundera.ai, VDP, security.txt |
| 1.2 Customer testing | Met | Pentest authorization policy documented; customers may test with prior written approval |
| 1.3 Self-assessment | Met | This page |
| 1.4 External testing | Planned | Third-party pentest planned for Phase 2 |
| 1.5 Training | Met | Security-first development demonstrated by |
| 1.6 Compliance | Met | This page documents compliance posture; Cloudflare certifications inherited |
| 1.7 Incident response | Met | Documented incident response plan with severity levels and response procedures |
| 1.8 Information security policy | Met | Formal information security policy with data classification, vendor management, access control, and encryption requirements |
Application Design Controls
| Control | Status | Notes |
|---|---|---|
| 2.1 Single sign-on | Met | WebAuthn/FIDO2 passkey-only authentication (AAL2/AAL3) — exceeds SSO security requirements; no passwords or shared secrets |
| 2.2 HTTPS-only | Met | HSTS preloaded, TLS 1.3, upgrade-insecure-requests CSP directive |
| 2.3 Security headers | Met | 10 security headers including CSP, HSTS, COOP, CORP, Permissions-Policy, X-DNS-Prefetch-Control |
| 2.4 Password policy | Met | No passwords exist — passkey-only architecture eliminates this attack surface entirely |
| 2.5 Security libraries | Met | Shared validation library and crypto utilities (Web Crypto API) across all endpoints |
| 2.6 Dependency patching | Met | Automated npm audit runs on every deployment; critical/high vulnerabilities block the deploy pipeline |
| 2.7 Logging | Met | Auth events logged with IP, timestamp, and outcome; admin audit log; Cloudflare Workers and analytics logging |
| 2.8 Encryption | Met | TLS 1.3 in transit, AES-GCM at rest for sensitive fields, git-crypt for secrets in source control |
Application Implementation Controls
| Control | Status | Notes |
|---|---|---|
| 3.1 List of sensitive data | Met | Formal data classification policy with four sensitivity levels |
| 3.2 Data flow diagram | Met | Visual data flow diagram with encryption boundaries documented on this page |
| 3.3 Vulnerability prevention | Met | Strict CSP (zero unsafe-inline), input validation, rate limiting, |
Operational Controls
| Control | Status | Notes |
|---|---|---|
| 4.1 Physical access | Met | Serverless on Cloudflare (SOC 2 Type II, ISO 27001) — physical security inherited from certified infrastructure |
| 4.2 Logical access | Met | Admin/user RBAC enforced at middleware layer; role assignments documented; single-person team with inherent access review |
| 4.3 Sub-processors | Met | Published sub-processor list with security assessments |
| 4.4 Backup and recovery | Met | D1 automatic daily backups; documented RTO/RPO targets and restoration procedures |
| 4.5 Logging and monitoring | Met | Auth event logging, admin audit trail, Cloudflare Workers logs, Web Analytics, and real-time rate limit monitoring |
| 4.6 Risk assessment | Met | Formal risk register with 8 identified risks scored by likelihood and impact, reviewed quarterly |
| 4.7 Data retention | Met | Formal retention schedule for all data types; delete-on-request with full account deletion process |
Infrastructure Partner Certifications
Abundera runs entirely on Cloudflare's platform. By building on certified infrastructure, we inherit their physical security, network security, and data center operations certifications without needing to maintain our own data centers.
| Certification | Scope |
|---|---|
| SOC 2 Type II | Annual independent audit of security, availability, and confidentiality controls |
| ISO 27001 | Information security management system covering global operations |
| ISO 27701 | Privacy information management extension (GDPR-aligned) |
| ISO 27018 | Protection of personally identifiable information in public clouds |
| PCI DSS 4.0 Level 1 | Payment card industry data security standard |
| FedRAMP Moderate | U.S. federal government cloud security authorization |
| CSA STAR | Cloud Security Alliance security assessment |
| C5 | German Federal Office for Information Security cloud computing standard |
Full details: Cloudflare Trust Hub
Data Handling
Abundera processes sensitive financial, health, and personal data. All data is classified into four sensitivity levels: Public, Internal, Confidential, and Restricted.
Sensitive Data Types
| Data Type | Classification | Protection |
|---|---|---|
| Authentication credentials (passkeys, TOTP secrets) | Restricted | AES-GCM encryption, private keys never leave user's device |
| Bank transactions and balances | Restricted | AES-GCM encryption at rest, read-only Plaid access, user-controlled |
| Health records | Restricted | AES-GCM encryption at rest, access limited to user's session |
| Email address, phone number | Confidential | Encrypted at rest (D1), TLS 1.3 in transit |
| Financial summaries (aggregated) | Confidential | Encrypted at rest, session-scoped access |
| Request log entries | Confidential | Admin-only access, 90-day retention |
| Auth audit and admin action logs | Confidential | Admin-only access, 3-year retention (GLBA) |
Data Flow
Restricted data (bank transactions, health records, TOTP secrets) is encrypted with AES-GCM at the application layer before being stored in D1, on top of Cloudflare's own encryption at rest.
Data We Do Not Collect
- Social Security numbers
- Credit card numbers (Plaid handles this; we never see card data)
- Passwords (passkey-only architecture)
- Biometric data (processed on-device by WebAuthn; never transmitted)
- Location data (Permissions-Policy blocks geolocation API)
- Browsing history from other sites
Incident Response
Abundera maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review.
| Severity | Response Time | Example |
|---|---|---|
| Critical | < 1 hour | Active data breach, credential compromise |
| High | < 4 hours | Exploitable vulnerability in production, account takeover |
| Medium | < 24 hours | Vulnerability discovered but not exploited |
| Low | < 72 hours | Low-severity dependency CVE, configuration drift |
In the event of a confirmed data breach, affected users will be notified within 72 hours via email with details of what happened, what data was involved, and what actions they should take.
Vulnerability Management
Vulnerabilities are triaged by CVSS score and fixed according to these SLAs:
| Severity | CVSS | Fix SLA |
|---|---|---|
| Critical | 9.0 – 10.0 | 72 hours |
| High | 7.0 – 8.9 | 30 days |
| Medium | 4.0 – 6.9 | 90 days |
| Low | 0.1 – 3.9 | Next release cycle |
Every deployment is gated by an automated security audit that runs
To report a vulnerability, see our Vulnerability Disclosure Policy or email security@abundera.ai.
Sub-Processor List
These third-party services process Abundera user data. All hold SOC 2 Type II certification or equivalent.
| Company | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure (hosting, database, CDN, DDoS protection, bot detection) | Global (300+ locations) |
| Plaid, Inc. | Read-only bank account and transaction data | United States |
| Zoho Zeptomail | Transactional email delivery — primary (verification codes, notifications, alerts) | United States |
| Resend | Transactional email delivery — fallback provider | United States |
| Twilio, Inc. | SMS notifications and two-way SMS commands (account alerts, recovery notifications) | United States |
| Stripe, Inc. | Subscription billing and payment processing (Checkout, Customer Portal, Webhooks) | United States |
| Amazon Web Services (AWS KMS) | Envelope encryption key management (master key storage, data encryption key generation) | United States |
| Lob, Inc. | Physical mail delivery for Abundera Letters (certified mail, dispute letters, notifications) | United States |
No user data is shared with advertising networks, analytics vendors, or third-party AI model providers. Abundera runs AI models on private, dedicated infrastructure.
GLBA Compliance
Abundera voluntarily complies with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule given the sensitivity of the financial data we handle.
| Requirement | Status | Implementation |
|---|---|---|
| Written Information Security Program (WISP) | Met | Formal Written Information Security Program (WISP) with data classification, access control, encryption requirements, and incident response procedures. Available upon request |
| Financial Privacy Notice | Met | Published in Privacy Policy §7 covering NPI collection, sharing, and opt-out rights |
| Qualified Individual designated | Met | Founder serves as designated security officer responsible for WISP oversight and compliance |
| Vendor security assessments | Met | All 8 sub-processors evaluated for SOC 2 certification, encryption practices, and data handling. Documented on DPA page |
HIPAA-Aligned Safeguards
Abundera is not a HIPAA covered entity or business associate. We voluntarily implement safeguards aligned to HIPAA Security Rule requirements for all health-related financial data (healthcare costs, insurance premiums, medical expenses, HSA/FSA data).
| Safeguard | Status | Implementation |
|---|---|---|
| Health data encrypted (AES-GCM) | Met | All health data fields encrypted at application layer with AES-GCM before storage, on top of Cloudflare's infrastructure encryption |
| Access controls with audit logging | Met | Role-based access, passkey authentication (AAL2/AAL3), every access logged with user ID, timestamp, and action |
| Minimum necessary standard | Met | Internal systems access only specific health data fields required for the requested operation; no bulk access |
| Breach notification within 72 hours | Met | Documented incident response plan with 72-hour notification SLA for breaches involving health data |
| Data classified as "Restricted" | Met | Health records carry our highest classification level with strictest access controls and encryption requirements |
CCPA/CPRA Compliance
Abundera complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) for all California residents.
| Right | Status | How to Exercise |
|---|---|---|
| Right to know (data export) | Met | Settings > Data Export provides full JSON download of all personal data, including control plane and shard data |
| Right to delete (account closure) | Met | Settings > Close Account initiates 30-day grace period followed by permanent deletion of all data |
| No sale of personal information | Met | Abundera does not sell, rent, or share personal information with third parties for advertising or marketing. No "Do Not Sell" opt-out needed |
| Sensitive data protections | Met | Financial data, health data, and authentication credentials classified as Restricted with AES-GCM encryption and audit logging |
GDPR Alignment (EU General Data Protection Regulation)
Abundera aligns with the EU General Data Protection Regulation (Regulation 2016/679) to ensure readiness for EU users. While currently US-based, we implement GDPR-equivalent protections for all users regardless of location.
| GDPR Requirement | Status | Implementation |
|---|---|---|
| Lawful basis for processing (Art. 6) | Met | Contract performance (financial services), legitimate interest (security), explicit consent (health data, marketing). Documented in Privacy Policy |
| Consent requirements (Art. 7) | Met | Granular, unbundled consent checkboxes at registration — separate for Terms, Privacy, age verification, electronic communications, and health data. Consent timestamp and IP recorded |
| Right of access / portability (Art. 15, 20) | Met | Settings > Data Export provides full JSON download of all personal data including control plane and financial shard data |
| Right to erasure (Art. 17) | Met | Settings > Close Account initiates 30-day grace period, then automated permanent deletion of all user data across control plane and data shards |
| Data minimization (Art. 5(1)(c)) | Met | No SSNs, no passwords, no biometrics, no location data, no browsing history collected. Plaid access is read-only. See Data Handling for full list |
| Data Protection Impact Assessment (Art. 35) | Met | Formal DPIA completed covering financial and health data processing. Available upon request |
| Records of Processing Activities (Art. 30) | Met | ROPA maintained documenting all processing activities, legal bases, data categories, recipients, and retention periods |
| Data Processing Agreement (Art. 28) | Met | Published DPA covering all 8 sub-processors with security assessments and contractual safeguards |
| Breach notification (Art. 33, 34) | Met | 72-hour notification SLA for data breaches. Documented incident response plan with severity levels and escalation procedures |
| Privacy by design (Art. 25) | Met | AES-GCM encryption at rest, passkey-only auth (no passwords), tier-based data isolation, |
E-SIGN Act Compliance
Abundera complies with the U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN Act) for all electronic communications and consent.
| Requirement | Status | Implementation |
|---|---|---|
| Electronic communications consent | Met | Explicit consent checkbox at registration: "I consent to receive account-related communications electronically, including security alerts and billing notices" |
| Right to withdraw consent | Met | Users may close their account at any time via Settings > Close Account, which stops all electronic communications |
| Consent records retained | Met | Consent timestamp, IP address, and version recorded in database at time of registration |
PCI DSS Compliance
Abundera uses Stripe for all payment processing. No credit card numbers, CVVs, or payment credentials ever touch Abundera servers.
| Requirement | Status | Implementation |
|---|---|---|
| Cardholder data never stored or processed | Met | Stripe Checkout handles all payment flows. Card data never enters our systems — qualifies as SAQ A (no cardholder data environment) |
| PCI DSS Level 1 certified processor | Met | Stripe is a PCI DSS Level 1 Service Provider (highest level). See Stripe Security |
| Webhook signature verification | Met | All Stripe webhooks verified using HMAC signature before processing to prevent forgery |
Data Retention
Abundera maintains a formal data retention policy with defined periods for each data category.
| Requirement | Status | Implementation |
|---|---|---|
| Formal retention policy | Met | Defined retention periods for all data categories documented in Privacy Policy §10 |
| Automated deletion on account closure | Met | 30-day grace period, then permanent deletion. Vault tier: entire dedicated database instance dropped |
| 7-year financial record retention (IRS) | Met | Financial records retained in anonymized format for 7 years per IRS requirements, then permanently deleted |
| Request log retention (90 days) | Met | Request logs (method, path, status, duration, IP) automatically purged after 90 days. Owner-only manual purge available via admin panel |
| Audit log retention (3 years) | Met | Authentication audit logs and admin action logs retained for 3 years per GLBA Safeguards Rule requirements (16 CFR 314.4(c)(8)) |
EU AI Act — Out of Scope
Abundera utilizes deterministic algorithms only. No probabilistic AI/ML models are used for financial decision-making, advice, or risk scoring. The platform does not deploy general-purpose AI systems, high-risk AI applications, or automated decision-making that affects users' financial outcomes.
| Requirement | Status | Implementation |
|---|---|---|
| AI features classified as "limited risk" | Met | All AI features are informational only (projections, insights, scenario modeling). No autonomous financial decisions or high-risk classifications |
| Transparency obligations | Met | All AI-generated outputs include clear disclaimers: "not financial advice." Users are informed when viewing AI-generated content |
| Human oversight | Met | Users maintain full control. AI features can be disabled. No autonomous actions without explicit user approval via trust level system |
| August 2, 2026 compliance deadline | On Track | Core requirements (transparency, human oversight, risk classification) already met. Monitoring final regulatory guidance for full compliance before deadline |
DORA Readiness (EU Digital Operational Resilience Act)
Abundera proactively aligns with the EU Digital Operational Resilience Act (Regulation 2022/2554), fully applicable since January 17, 2025. While DORA does not currently apply to Abundera (US-based, no EU financial entity customers), we maintain alignment with its five pillars for EU market readiness.
| DORA Pillar | Status | Implementation |
|---|---|---|
| Pillar 1: ICT Risk Management | Aligned | GLBA WISP, formal information security policy, ICT asset inventory, AES-GCM encryption, WebAuthn + TOTP access controls, incident response plan, structured logging with D1 persistence |
| Pillar 2: Incident Reporting | Aligned | Incident classification matrix with 4 severity levels, response times from <1hr to <72hr, 72-hour breach notification SLA, request correlation IDs for forensics |
| Pillar 3: Resilience Testing | Aligned | Automated security audit ( |
| Pillar 4: Third-Party Risk | Aligned | 8 sub-processors documented with SOC 2 status, DPA page published, ICT concentration risk assessed (all-Cloudflare stack documented with exit strategy) |
| Pillar 5: Information Sharing | Planned | Voluntary threat intelligence sharing policy to be formalized when operational |
Full DORA compliance program documented internally with ICT asset inventory (14 assets), concentration risk assessment, incident classification matrix, BCP/DR targets (RPO: 24hr, RTO: 4hr), and phased compliance roadmap. Proportionality principle (Article 4) applies — Abundera qualifies as a microenterprise with simplified requirements. Internal DORA documentation is available upon request at security@abundera.ai.
SOC 2 Roadmap
Abundera is building toward SOC 2 Type II certification on a phased timeline tied to customer demand.
| Phase | Status | Scope |
|---|---|---|
| Phase 1 | Complete | Security policies, MVSP self-assessment (24/25), VDP, sub-processor transparency, risk register, data retention, backup & recovery, business continuity plan, change management policy, access review process, alerting & monitoring, continuous internal pentest program (908 tests / 44 categories) |
| Phase 2 | Planned | Annual third-party penetration test (vendor selected, quote received) — supplements the existing continuous internal pentest program and is the only remaining MVSP gap |
| Phase 3 | Planned | Compliance platform (Vanta/Sprinto), SOC 2 Type I audit |
| Phase 4 | Planned | SOC 2 Type II certification, ongoing annual re-audit |
Accepted Design Tradeoffs
Security engineering involves tradeoffs. We document ours transparently.
| Tradeoff | Residual Risk | Rationale & Mitigations |
|---|---|---|
| SRI not applied to Cloudflare CDN scripts | Low | Cloudflare Web Analytics (beacon.min.js) and Turnstile (api.js) are auto-updated by Cloudflare on their own release cycle — any SRI hash would break on update. Mitigated by: CSP restricts script sources to explicit allowlisted domains, both scripts are first-party Cloudflare (same vendor as our hosting infrastructure), and Turnstile is only loaded on public forms. |
| COEP credentialless (not require-corp) on static pages | Low | Full COEP require-corp would require all cross-origin resources (Plaid Link, Stripe.js, Turnstile iframes) to send their own CORP response header, which they don't. Using credentialless allows cross-origin loading without credentials while still enabling cross-origin isolation. API routes use the stricter require-corp. Mitigated by: COOP same-origin and CORP same-origin on all responses provide Spectre protection. |
Questions about our security or compliance posture? Contact security@abundera.ai.