jachin.dev logo

Security Policy

Last updated: February 26, 2026

Overview

This Security Policy describes how jachin.dev and its applications — including SoloLith, ScaleForge, and ReefLynk — protect the security of user data and the infrastructure that stores and processes it. This document is intended for users, auditors, and integration partners (including Plaid) who require transparency into our security practices.

Questions or concerns may be directed to the security contact below.

Security Contact

Michael Taylor — Owner & Developer Email: jachin_dev@jachin.dev

Infrastructure Security

Hosting and Deployment

All production applications are deployed on Vercel, a SOC 2-compliant cloud platform. Vercel manages the underlying server infrastructure, physical security, and platform-level vulnerability patching. There are no self-managed server instances.

Database

User data is stored in Neon, a serverless PostgreSQL platform hosted on AWS in the United States (us-east-2). Neon provides:

  • Encryption at rest — all data is encrypted at rest using AES-256
  • Encryption in transit — all connections use TLS 1.3
  • Automatic backups — point-in-time recovery is available

Encryption in Transit

All traffic between clients and our servers is encrypted using TLS 1.2 or higher, enforced by Vercel's edge network. Plain HTTP connections are automatically redirected to HTTPS.

Access Controls

Infrastructure Access

Access to production infrastructure (Vercel, Neon, GitHub) is restricted to the sole developer/owner of jachin.dev. All platform accounts are protected with multi-factor authentication (MFA). No employees or contractors have access to production systems.

Application Access

SoloLith uses session-based authentication with JWT tokens. All API routes are protected by server-side session validation. User data is scoped by userId on every database query — no user can access another user's data.

Plaid access tokens are stored in the database and are never exposed to the client. They are used exclusively server-side to call the Plaid API on behalf of the authenticated user.

Role-Based Access

SoloLith implements role-based access control (RBAC) with two roles:

  • User — access to their own data only
  • Admin — reserved for the developer account; no additional data access beyond standard user scope

Data Security

Financial Data (Plaid)

Bank connection credentials are never stored by SoloLith. The Plaid Link flow transmits credentials directly to Plaid's servers. SoloLith only stores the opaque access token Plaid returns, which is used exclusively to fetch transaction data on the user's behalf.

Transaction data stored in SoloLith is:

  • Scoped exclusively to the authenticated user
  • Encrypted at rest in Neon
  • Never shared with or sold to third parties
  • Deleted immediately upon account deletion or bank disconnection

Password Storage

User passwords are hashed using bcrypt with a minimum cost factor of 12. Plaintext passwords are never stored or logged.

API Tokens

SoloLith CLI API tokens are generated using crypto.randomBytes(32) and stored as hashed values. Tokens are scoped to the individual user account.

Vulnerability Management

Production servers are fully managed by Vercel and Neon, both of which maintain their own vulnerability management and patching programs. Application dependencies are monitored using npm audit. The developer regularly applies dependency updates to address known CVEs.

Incident Response

In the event of a confirmed data breach or security incident affecting user data:

  1. The affected systems will be isolated and secured immediately
  2. Affected users will be notified by email within 72 hours of discovery
  3. Plaid will be notified promptly per our integration agreement
  4. A post-incident report will be published at jachin.dev/security describing the nature of the incident and remediation steps taken

To report a security vulnerability, contact jachin_dev@jachin.dev.

Privacy

Our full Privacy Policy, including data retention and deletion procedures, is available at jachin.dev/privacy.

Changes to This Policy

We may update this Security Policy as our practices evolve. The "Last updated" date at the top of this page reflects the most recent revision. Significant changes will be communicated via the application or email.