Compliance

Plaid production attestation

Convexity uses Plaid to connect brokerage accounts. Plaid requires a production attestation — 11 items covering information security, access control, and consumer-facing MFA — before an application can move from sandbox to live. All 11 required attestations have been signed. Each item below links to the implementation or policy that backs the attestation.

Status
Sandbox
Target production
Q3 2026
Last reviewed
2026-04-17
Plaid attestation
11 of 11 signed

11 of 11 Plaid attestations signed

Met

Patches identified vulnerabilities within a defined SLA

Written vulnerability-management policy defines patching cadence: Critical 72h, High 14d, Medium 30d, Low 90d. Continuous scanning via Dependabot, pip-audit, and unattended-upgrades.

Vulnerability management → Updated 2026-04-17
Met

MFA on internal systems that store or process consumer data

MFA enforced on all operator-facing third-party accounts (domain registrar, DNS, email, GitHub, VPS vendor, cloud console). Covered by the access control policy.

Access control policy → Updated 2026-04-17
Met

Information Security Policy (ISP) created

Published ISP covering scope, information classification, control domains, roles, exceptions, and review cadence.

View ISP → Updated 2026-04-17
Met

Data deletion and retention policy implemented

Soft delete with 30-day recovery window via account settings. GDPR Article 17 hard-delete available on request via legal@convexityos.com. Retention rules defined per data type.

Retention policy → Updated 2026-04-17
Met

Zero trust access architecture implemented

Every request independently authenticated and authorized at middleware. No trusted network perimeter. Short-lived JWT access tokens with refresh rotation and replay detection.

Zero trust architecture → Updated 2026-04-17
Met

Vulnerability scanning performed

Continuous automated scanning via Dependabot (dependency CVEs), pip-audit (Python package advisories), and unattended-upgrades (OS patches).

Scanning details → Updated 2026-04-17
Met

Automated de-provisioning for terminated or transferred employees

offboarding.py script revokes all tokens, disables MFA, deletes passkeys, disconnects Plaid, and clears passwords. Single-operator today; policy applies on team growth.

Access revocation → Updated 2026-04-17
Met

Defined and documented access control policy

Published access control policy. Tier-based RBAC enforced at middleware with a least-privilege default.

View policy → Updated 2026-04-17
Met

Secure tokens and certificates for authentication

JWT access tokens with 15-minute expiry. Rotated refresh tokens with database-backed replay detection. WebAuthn/FIDO2 passkeys. TLS 1.3 with HSTS and preload.

Encryption & auth layers → Updated 2026-04-17
Met

Published privacy policy

Public privacy policy covering collection, processing, subprocessors, retention, user rights, GDPR Article 17/20, and CCPA.

View privacy policy → Updated 2026-04-13
Met

MFA on the consumer-facing application where Plaid Link is deployed

Consumer MFA via TOTP authenticator apps and WebAuthn passkeys. Available to every account holder; optional by default.

Authentication layers → Updated 2026-04-17

Full security architecture

See every control, subprocessor, and policy behind the attestation.

See security page → Privacy policy →