Information Security Policy

1. Purpose and Scope

This Information Security Policy establishes the framework for identifying, mitigating, and monitoring information security risks at FuturePort. It applies to all systems, data, and personnel involved in the operation of the FuturePort platform.

FuturePort is an AI-powered portfolio intelligence platform that processes user account data, portfolio configurations, and market analytics. This policy ensures that all data is handled securely and in compliance with applicable regulations.

2. Data Classification

FuturePort classifies data into the following categories:

• Public: Marketing content, publicly available market data, landing page content
• Internal: Application logs, aggregated analytics, system configuration
• Confidential: User email addresses, portfolio configurations, alert settings, saved preferences
• Restricted: Authentication tokens, API keys, database credentials, brokerage access tokens

Each classification level has corresponding handling, storage, and access requirements as described in this policy.

3. Encryption and Data Protection

3.1 Data in Transit

All data transmitted between clients and FuturePort services is encrypted using TLS 1.2 or higher. This includes:

• All API communications between the frontend and backend servers
• Database connections enforced with SSL/TLS encryption
• All third-party API integrations (Firebase, market data providers)

3.2 Data at Rest

• PostgreSQL database hosted on Neon with encrypted storage
• Environment variables and API keys stored as encrypted secrets in deployment environments
• No plaintext passwords are stored — authentication is delegated to Firebase Authentication

4. Authentication and Access Control

4.1 User Authentication

• User authentication is managed by Google Firebase Authentication
• Firebase ID tokens are verified server-side on every authenticated API request
• Tokens are short-lived and automatically refreshed by the Firebase SDK
• Session persistence uses secure browser local storage with Firebase-managed token rotation

4.2 Role-Based Access Control

• The platform implements role-based access control (RBAC) with distinct user, admin, and superadmin roles
• Administrative endpoints are protected by role verification middleware
• Role claims are stored in Firebase custom claims and synchronized with the backend database

4.3 Infrastructure Access

• Production infrastructure access is limited to authorized personnel
• Database access requires authenticated connections with SSL enforcement
• Deployment pipelines use environment-scoped secrets that are not accessible in application code at runtime

5. Application Security

5.1 Security Headers

The platform enforces the following HTTP security headers:

• Content Security Policy (CSP) to prevent cross-site scripting (XSS) attacks
• X-Content-Type-Options to prevent MIME type sniffing
• X-Frame-Options to prevent clickjacking
• Strict-Transport-Security (HSTS) to enforce HTTPS connections
• Referrer-Policy to control information leakage

5.2 Input Validation and Sanitization

• All user inputs are validated and sanitized on both client and server sides
• Database queries use parameterized statements via SQLAlchemy ORM to prevent SQL injection
• API request bodies are validated against expected schemas before processing

5.3 Rate Limiting

• API endpoints are protected with rate limiting to prevent abuse
• AI assistant endpoints have per-user rate limits with configurable thresholds
• Failed authentication attempts are monitored and logged

6. Third-Party Service Security

FuturePort relies on the following third-party services, each selected for their security posture:

• Google Firebase Authentication: SOC 1/2/3, ISO 27001, and ISO 27017 certified. Handles all user credential management and token issuance.
• Neon (PostgreSQL): SOC 2 Type II compliant. Provides encrypted database hosting with automated backups and point-in-time recovery.
• Cloudflare Pages: SOC 2 Type II, ISO 27001 certified. Provides DDoS protection, CDN, and secure hosting for the frontend application.
• Financial Market Data Providers: Data is fetched over encrypted connections. No user data is shared with market data providers.

All third-party integrations communicate exclusively over encrypted channels (TLS 1.2+). Access tokens for third-party services are stored as environment secrets, never in source code.

7. Risk Identification and Monitoring

7.1 Logging and Monitoring

• Application activity is logged including API requests, authentication events, and errors
• Administrative actions are tracked in an activity log for audit purposes
• Error monitoring captures and reports application exceptions for timely investigation
• Production logs do not contain sensitive user data (passwords, tokens, or personal information)

7.2 Vulnerability Management

• Dependencies are monitored for known vulnerabilities through automated tooling
• Security patches for critical vulnerabilities are applied promptly
• Code changes are reviewed before deployment to production

8. Data Retention and Disposal

• User data is retained only for as long as necessary to provide the service
• Users may request a complete export of their data at any time via the account settings page
• Account deletion requests initiate a 30-day grace period, after which all user data is permanently and irreversibly deleted from all systems
• Deleted data is purged from backups within the backup retention window

9. Incident Response

In the event of a security incident, FuturePort follows a structured response process:

• Detection: Security events are identified through monitoring, logging, and user reports
• Containment: Affected systems are isolated to prevent further unauthorized access. Compromised tokens and credentials are immediately revoked.
• Investigation: The scope, cause, and impact of the incident are determined through log analysis and system review
• Notification: Affected users are notified within 72 hours of confirmed data breaches, in compliance with GDPR and applicable data protection regulations
• Remediation: Vulnerabilities are patched, security controls are strengthened, and preventive measures are implemented
• Documentation: Incidents are documented with a post-mortem analysis to prevent recurrence

10. User Data Rights

In accordance with GDPR and CCPA, users have the following rights regarding their data:

• Right of Access: Users can view all data associated with their account
• Right to Export: Users can download a complete copy of their data in JSON format via the account settings page
• Right to Deletion: Users can request permanent deletion of their account and all associated data
• Right to Rectification: Users can update or correct their personal information at any time

11. Compliance

FuturePort is designed and operated with the following regulatory frameworks in mind:

• GDPR (General Data Protection Regulation): Data minimization, user consent, right to erasure, 72-hour breach notification
• CCPA (California Consumer Privacy Act): Right to know, right to delete, right to opt-out of data sales (FuturePort does not sell user data)
• SEC AI Disclosure Requirements: All AI-generated content is clearly labeled with disclosure badges throughout the platform

12. Policy Review

This Information Security Policy is reviewed and updated at least annually, or whenever significant changes occur to the platform's architecture, data processing activities, or applicable regulatory requirements.

13. Contact

For security-related inquiries, vulnerability reports, or questions about this policy, please contact:

• Email: [email protected]
• Website: https://future-port.org