Ovr | Security Statement

Bank-Level EncryptionSOC 2 Compliant24/7 Monitoring

1. Our Security Commitment

At Ovr Finance, a product of JRM Creative Ventures LLC, protecting your information is not just a priority—it's fundamental to everything we do. Ovr is designed to support your financial wellness and peace of mind, and that includes being thoughtful, careful, and vigilant with your data and the systems that handle it.

1.1 Security Mission

We are committed to implementing reasonable, appropriate, and industry-leading technical and organizational measures to protect your information against:

✕Unauthorized access

✕Unauthorized disclosure

✕Unauthorized alteration

✕Unauthorized destruction

✕Accidental loss

✕Malicious attacks

1.2 Security Principles (CIA Triad)

Confidentiality

Only authorized people and systems can access your data
Strong encryption protects data in transit and at rest
Access controls limit who can view sensitive information
Multi-factor authentication prevents unauthorized access

Integrity

Data is accurate, complete, and trustworthy
Protected from unauthorized or accidental modification
Checksums and validation ensure data hasn't been tampered with
Audit logs track all data changes

Availability

Systems are designed to be reliable and available when you need them
99.9% uptime target
Redundant infrastructure prevents single points of failure
Disaster recovery procedures ensure business continuity

1.3 Commitment to Continuous Improvement

Security is not a one-time effort—it's an ongoing commitment:

Regular security audits and assessments
Continuous monitoring and threat detection
Employee training and security awareness programs
Rapid response to emerging threats
Investment in security infrastructure and tools

2. Security Certifications & Compliance

2.1 Current Certifications

IN PROGRESS

SOC 2 Type II

Service Organization Control 2 audit
Independent verification of security controls
Covers: Security, Availability, Confidentiality
Current Status: Planning phase - audit scheduled for Q2 2026
Expected Completion: Q3 2026
Annual recertification after initial certification

Why This Matters: Many enterprise customers and partners require SOC 2 compliance. We're prioritizing this certification to demonstrate our commitment to security best practices.

ROADMAP

ISO 27001

International information security management standard
Target certification date: 2026
Demonstrates comprehensive security framework

2.2 Compliance Frameworks

Payment Security

PCI-DSS - Payment Card Industry Data Security Standard (via Stripe)
We do NOT store credit card numbers, CVV codes, or full payment card data
Payment processing handled by PCI-DSS Level 1 compliant provider (Stripe)

Data Protection

GDPR - General Data Protection Regulation (EU/EEA)
UK GDPR - UK Data Protection Act 2018
CCPA/CPRA - California Consumer Privacy Act
GLBA - Gramm-Leach-Bliley Act (where applicable)

Security Standards

NIST Cybersecurity Framework - Identify, Protect, Detect, Respond, Recover
OWASP Top 10 - Web application security risks
CIS Controls - Center for Internet Security best practices

3. Data Protection Measures

3.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted:

TLS 1.3 (Transport Layer Security)

Latest, most secure version of TLS
Perfect Forward Secrecy (PFS) - unique encryption keys for each session
Strong cipher suites (AES-256-GCM, ChaCha20-Poly1305)
Certificate pinning in mobile apps (prevents man-in-the-middle attacks)
HSTS (HTTP Strict Transport Security) - forces HTTPS connections

3.2 Encryption at Rest

All stored data is encrypted using industry-standard methods:

AES-256 Encryption

Advanced Encryption Standard with 256-bit keys
Military-grade encryption (NSA approved for TOP SECRET data)
Applied to: Database storage, File storage, Backup archives, Log files

Key Management

Encryption keys stored in Hardware Security Modules (HSMs) where possible
Keys rotated regularly (quarterly or upon security events)
Master keys never stored with encrypted data
Keys managed by cloud provider key management services (Google Cloud KMS, AWS KMS)

3.3 What We DON'T Store

✕Full credit card numbers or CVV codes

✕Bank login credentials (handled by Plaid)

✕Social Security Numbers

✕Sensitive biometric data (stored locally on your device only)

✕Unencrypted passwords (always hashed with bcrypt/Argon2)

4. Infrastructure Security

4.1 Cloud Infrastructure

Hosted on secure, certified cloud platforms:

Primary: Google Cloud Platform (GCP)

ISO 27001, SOC 2 Type II, PCI-DSS certified
Physical security: Biometric access, 24/7 monitoring
Network security: DDoS protection, firewall rules

Secondary: Amazon Web Services (AWS)

ISO 27001, SOC 2 Type II, PCI-DSS certified
AWS Shield (DDoS protection)
AWS WAF (Web Application Firewall)

4.2 Network Security

Firewalls

Cloud-native firewalls with default deny policies and egress filtering

DDoS Protection

Cloud provider DDoS mitigation with traffic rate limiting and automatic scaling

Intrusion Detection

Real-time threat detection with machine learning-based anomaly detection

Virtual Private Cloud

Isolated network environment with private subnets for sensitive systems

Uptime Target: 99.9% (approximately 8.76 hours downtime per year)

5. Application Security

5.1 OWASP Top 10 Protection

Vulnerability	Protection
Injection	Parameterized queries, input validation, ORM frameworks
Broken Authentication	Multi-factor auth, secure session management, rate limiting
Sensitive Data Exposure	Encryption, HTTPS everywhere, no hardcoded secrets
Broken Access Control	Role-based access, principle of least privilege
Security Misconfiguration	Hardened configurations, regular updates
Cross-Site Scripting (XSS)	Input sanitization, Content Security Policy (CSP)

5.2 API Security

Authentication: OAuth 2.0, JWT (JSON Web Tokens)
Authorization: Role-based access control (RBAC)
Rate Limiting: Prevent abuse and DDoS (100 requests/minute per user)
HTTPS Only: No unencrypted API access
CORS: Restrict which domains can call our API

6. Third-Party Security

6.1 Trusted Service Providers

Provider	Purpose	Certifications
Plaid	Bank account linking	SOC 2 Type II, ISO 27001
Stripe	Payment processing	PCI-DSS Level 1, SOC 2 Type II
Firebase	Authentication, notifications	ISO 27001, SOC 2 Type II
Google Cloud	Cloud infrastructure	ISO 27001, SOC 2, PCI-DSS
AWS	Cloud infrastructure (backup)	ISO 27001, SOC 2, PCI-DSS

No Direct Credential Storage

We never store your bank credentials. Bank login credentials are handled exclusively by Plaid (SOC 2 Type II certified). We receive only tokenized access. You can manage Plaid connections at my.plaid.com

7. Secure Development Practices

7.1 Secure Software Development Lifecycle (SDLC)

Planning

Threat modeling
Security requirements
Privacy impact assessments

Development

Secure coding standards
Security-focused code reviews
Static code analysis (SAST)

Testing

Penetration testing
Dynamic security testing (DAST)
Automated security scans

Deployment

Secrets management
Infrastructure as Code scanning
Zero-downtime deployments

7.2 Patch Management

Severity	Patch Timeline
Critical	Within 24 hours
High	Within 7 days
Medium	Within 30 days
Low	Next regular release

8. Access Controls & Authentication

8.1 User Authentication

Password Requirements

Minimum 12 characters (recommended 16+)
Must include: uppercase, lowercase, numbers, special characters
No common passwords (checked against Have I Been Pwned)
Bcrypt or Argon2 hashing (never plain text)

Multi-Factor Authentication (MFA)

Available for all users
Options: SMS, authenticator app (TOTP), email
Required for high-risk actions (payment changes, data exports)

Biometric Authentication (Mobile)

Face ID, Touch ID (iOS)
Fingerprint, Face Unlock (Android)
Biometric data stays on device (never sent to our servers)

8.2 Session Security

Secure, HttpOnly, SameSite=Strict cookies
30-minute inactivity timeout
Forced logout after 24 hours
Session invalidation on password change
Concurrent session limits (maximum 3 active sessions)

9. Monitoring & Threat Detection

9.1 24/7 Security Monitoring

Log Aggregation

All system logs centralized
Retention: 90 days hot, 2 years archive
Real-time analysis and alerting

SIEM

Real-time threat detection
Correlation of events across systems
Automated incident response

9.2 Monitored Events

Failed login attempts (rate limiting after 5 failures)
Privilege escalation attempts
Unusual data access patterns
API abuse (rate limit violations)
Security configuration changes

10. Data Retention & Secure Deletion

Retention Summary

Active account data: While account is active
After deletion request: 30-day grace period
Backups: 90 days maximum
Financial records: 7 years (IRS requirement)
Payment authorizations: 2 years (NACHA requirement)

Secure Deletion Methods

Cryptographic Erasure

Encryption keys destroyed (data becomes unrecoverable)

Data Overwriting

DoD 5220.22-M standard (3-pass overwrite)

Physical Destruction

Decommissioned hard drives shredded or degaussed

See our Delete My Account page for details on requesting account deletion.

11. Incident Response

Incident Response Phases

Preparation

Incident response team identified
Tools and resources ready
Regular training and drills

Detection & Analysis

24/7 monitoring
Automated alerting
Severity assessment

Containment & Recovery

Isolate affected systems
Remove threat access
Restore from clean backups

Post-Incident

Root cause analysis
Lessons learned documentation
Update security controls

Data Breach Notification

GDPR (EU/EEA): 72 hours to supervisory authority
US State laws: 30-60 days (varies by state)
CCPA (California): Without unreasonable delay
Users: Notification via email and in-app alert

12. Disaster Recovery & Business Continuity

Recovery Time Objective (RTO)

4 hours

Maximum downtime in worst-case scenario

Recovery Point Objective (RPO)

1 hour

Maximum data loss in worst-case scenario

3-2-1 Backup Rule

3copies of data (production + 2 backups)
2different storage types (disk + cloud)
1offsite backup (different geographic region)

Geographic Redundancy

Primary: US East (New York/Virginia)
Secondary: US West (California/Oregon)
Tertiary: EU (Ireland/Germany) - for EU users

13. Your Security Responsibilities

Security is a shared responsibility. While we implement robust security measures, you also play a critical role in protecting your account and data.

Account Security Best Practices

Strong Passwords

Use at least 12 characters (16+ recommended)
Use a unique password for Ovr Finance (never reuse)
Use a password manager (1Password, Bitwarden, LastPass)
Never share your password with anyone

Enable Multi-Factor Authentication

Enable MFA immediately (Settings > Security > MFA)
Use authenticator app (more secure than SMS)
Save backup codes in secure location

Recognize Phishing Attempts

Red Flags

✕Urgent language ("Your account will be closed!")
✕Asking for password, MFA codes, or personal information
✕Suspicious sender email (not @ovrfinance.io)
✕Unexpected attachments or links

We will NEVER:

✕Ask for your password via email or text
✕Ask for MFA codes
✕Send unexpected attachments
✕Threaten to close your account via email

14. Vulnerability Disclosure Program

We welcome and encourage security researchers to report vulnerabilities responsibly.

Scope

Website: www.ovrfinance.io and subdomains
Mobile apps: iOS and Android
APIs and backend systems

How to Report

Email: security@ovrfinance.io

Subject Line: "Vulnerability Disclosure - [Brief Description]"

Please include:

Description of the vulnerability
Steps to reproduce (detailed)
Potential impact (severity assessment)
Proof of concept (if applicable)
Your contact information

Bug Bounty Program (Coming 2026)

Severity	Reward
Critical	$500 - $2,000
High	$200 - $500
Medium	$50 - $200
Low	Public acknowledgment

15. Security Audits & Testing

Internal Assessments

Weekly: Automated vulnerability scans
Monthly: Security configuration reviews
Quarterly: Internal penetration testing
Annually: Comprehensive security audit

External Audits

Annual: SOC 2 Type II audit
Annual: External penetration testing
Bi-annual: Code security review

16. Updates to This Statement

We may update this Security Statement to reflect changes in our security practices, new technologies, evolving threats, or legal requirements.

Notification for Material Changes

Updated "Last Updated" date at top of page
Email notification to active users
In-app notification upon next login
30 days' advance notice for significant changes

Next Scheduled Review: April 2026

17. Contact & Report Security Issues

Security Team

Email: security@ovrfinance.io

Include "URGENT" for active incidents

Response Time: 24 hours for urgent issues, 3 business days for general inquiries

General Support

Email: support@ovrfinance.io

Response Time: 2-3 business days

Mailing Address

JRM Creative Ventures LLC
Attn: Security Team
111 Town Square Pl Ste 1238 PMB 877216
Jersey City, NJ 07310-1810
United States

Security Status Page

Real-time service status and security notices: status.ovrfinance.io

Security at a Glance

Encryption

In Transit: TLS 1.3 with Perfect Forward Secrecy
At Rest: AES-256 encryption
Key Management: Hardware Security Modules (HSMs)

Certifications

SOC 2 Type II (In Progress)
ISO 27001 (Roadmap 2026)
PCI-DSS (via Stripe)

Monitoring

24/7 security monitoring
Real-time threat detection
Automated incident response

Compliance

GDPR, CCPA, GLBA
NIST Cybersecurity Framework
OWASP Top 10

Last Updated: December 2025 | Last Security Audit: December 2025

Next Audit: April 2026 | Next Policy Review: April 2026